Andrew C Aitchison via mailop <[email protected]> wrote: > I know that TLS is only hop-to-hop, not end-to-end > and that MTA-MTA only has STARTTLS, not fully encrypted connections, > but it does allow client certificates as well as server certificates.
> What would we need in order for SMTP TLS client certificates
> to have a useful place in authenticating the sender ?
> DNSSEC would probably help; are there other useful missing pieces ?
https://datatracker.ietf.org/wg/dance/documents/
Finally past WGLC... Some people challenges getting to next step.
SMTP TLS client authentication is definitely in the architecture.
But, as others asked: what will you do with the result?
Authenticated relaying/submission is high on some people list, but I don't
think the subscribers to this list care about that (internal) problem.
SPF identifies valid senders mostly via forward DNS, turning that into a list
of acceptable IPv4/v6, and comparing to what the connection is.
Along the way, one could collect a TLSA certificate for the forward name.
Or, given the client-side certificate provided, one could look up the forward
name in the SAN, and look for a matching TLSA RR with a certificate.
That's what the TLS option in DANCE is about: it says it's worth the lookup.
What do you do with the result? It doesn't authenticate the email itself at
all.
Perhaps it could be used by high-volume senders who have many many outgoing
relays to mitigate grey listing. "Looks ma! it's still me!"
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
