John Levine via mailop <mailop@mailop.org> writes: > I realize conspiracy theories are fun, but I actually talked to the > people who designed MTA-STS at the time they were developing it.
I guess I was a bit harsh, and also could have made it more clear that I'm guessing at what could be the reason for such a move. However, calling my guess a "conspiracy theory" is, I think, a bit over the top. I'm not suggesting that any kind of conspiracy exists, merely that Google did something for the most common reason any company does anything. I shouldn't have suggested that they deliberately set out to fool people, though. As I pointed out, it says right in the RFC that MTA-STS is an inferior and less secure alternative to DANE. > Google people did the largest amount of work, and they told me that > they didn't (and still don't) do DNSSEC because too much stuff other > places would break. Their DNS infrastructure is quite able to handle > DNSSEC, but they believed that it would be too long until DNSSEC and > DANE would work reliably so MTA-STS was the kludge in the meantime. I don't get it. Surely, things would only "break" where people have tried to implement these mechanisms, presumably in order to improve their security, and done it wrong? Those installations are already broken, but their owners are unaware. If a big player like Google were to implement DANE support, they would probably notice, and fix their mistakes. After all, DNSSEC and DANE have worked reliably for a very long time, but, like most other things, MTA-STS included, they have to be correctly configured by those who are using them. > Clearly opinions can vary. Comcast's mail system is pretty big, and > they do use DNSSEC and DANE. Also, Microsoft, the other big party in the MTA-STS design work, is in the process of implementing it. They already correctly verify DNSSEC and DANE when sending email, and are working on the incoming support. Big players implementing these things is important, because it gives momentum to the spreading of awareness and use elsewhere. Fundamental security mechanisms like DNSSEC and RPKI ought to be ubiquitous. On a related note, I also wish the big browsers would check for DNSSEC and DANE, show the user the result, and refuse to connect to a web site with one or more DNSSEC protected TLSA records, but none matching the presented certificate. Meanwhile, I use the "DNSSEC/DANE Validator" plugin in Firefox, configured to do exactly that. -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop