On 23 Aug 2015, at 20:46, [email protected] wrote: > You are https biased i guess. With an unsigned MX your secure chain is broken > because the target you try to reach by an E-Mail address is directed to a > target by an "unsecure" link. If the unsecure resolved target is then secured > doesn't matter because you might be already on the wrong track. > > Security is only as strong as the weakest point in the chain.
Agree, but I think the cert for the TLS can be trusted in two ways: Either by looking at TLSA record or by looking at CA X.509 chain. I think they are equivalent and both have exactly the same weakness if the MX is unsigned. I do not see why one of these two mechanisms should be "invalid" just because the MX is unsigned. Patrik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
