On 23 Aug 2015, at 21:33, Paul Wouters wrote: > So we have: > > - unsigned domain -> deliver without authentication, allow any TLS credential > - signed domain with unsined mx target -> deliver without authentication, > allow any TLS credential > - signed domain with signed mx target -> deliver only if authentication > succeeded. > > You seem to want something like: > > - unsigned domain with signed mx target -> deliver if authentication > succeeds - despite possible spoofed MX record
I more and more think I understand what I am asking for and what I want. My apologies if what I now write seems to be different from what I wrote earlier. I want the validation of the cert used for the TLS connection to use the same rules for trust regardless of whether DANE is used (i.e. signed and properly validated TLSA record for the peer) or if X.509 cert/PKI from some CA is in use. What I read in the draft, and what I read in the paper Jan wrote after testing Postfix and what I read here in the responses I get is that DANE is trusted LESS than X.509 certs. And I think that is wrong. I.e. we have two cases: 1. X.509 1.1 Unsigned MX 1.2 cert validated from some CA that is trusted 2. DANE 2.1 Unsigned MX 2.2 cert validated via signed TLSA with DNSSEC chain of trust to some TA I think they should be equivalent. If they are, also in the implementation in postfix, then just tell me and I'll shut up. Patrik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
