On 24 Aug 2015, at 5:00, Viktor Dukhovni wrote: > On Mon, Aug 24, 2015 at 04:51:19AM +0200, Patrik F?ltstr?m wrote: > >> What I read in the draft, and what I read in the paper Jan wrote after >> testing Postfix and what I read here in the responses I get is that DANE >> is trusted LESS than X.509 certs. > > This is a misapprehesion on your part.
Thank you! >> 1. X.509 >> >> 1.1 Unsigned MX >> 1.2 cert validated from some CA that is trusted > > No. Non-DANE SMTP does unauthenticated TLS, and the cert is ignored, whether > its trust chain verifies or not. > >> 2. DANE >> >> 2.1 Unsigned MX >> 2.2 cert validated via signed TLSA with DNSSEC chain of trust to some TA > > In both cases no authentication is performed. > >> I think they should be equivalent. > > They are equivalent, you get no protection from active attacks. Thanks! >> If they are, also in the implementation in postfix, then just tell me and >> I'll shut up. > > With "smtp_tls_security_level = dane", the two cases are treated identically, > neither authenticate the peer, and both deliver the mail regardless of the > content of the peer certificate if any. Excellent! That was what I was hoping. Then I misunderstood the tests Jan did. Patrik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
