On 10/22/23 9:08 AM, Slavko via mailop wrote:
Dňa 22. októbra 2023 12:50:52 UTC používateľ Philip Paeps <[email protected]>
napísal:
Note that, as far as email is concerned, plaintext downgrade attacks are much
more likely than fraudulent certificates.
Hmm, and what about MUAs?
As Philip pointed out, DNSSEC-authenticated ACME account/method binding would have had no issue
preventing this attack. Now, the government mandate could have also been adapted to force some CA to
issue a certificate, but with sensible monitoring of C-T logs and reporting, that would likely be
grounds for CA removal (eventually...of course MUAs actually using DANE like MTAs do would be much
simpler).
Matt
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
