On 2013-08-21 at 12:52 -0600, Peter Saint-Andre wrote: > 5. No server-to-server connections without TLS. > > 6. Require proper certificate checking (RFC 6120 / RFC 6125) for TLS > negotiations. > > 7. Require support for CRLs/OCSP to detect expired/revoked certs. > > And there are probably more.
DNSSEC and DANE verification to avoid requiring third party certificate authorities (beyond "DNS management")? Which servers are currently able to be clients for this? I believe that my spodhuis.org s2s setup is currently correct, with DANE trust anchors, albeit with the full cert in DNS which makes for a large record and thus some interop issues. The recipient of the connection doesn't need to do anything special in server configuration, it's all around publishing the correct information in DNS and having DNSSEC deployed. The server which is the connection initiator (and TLS initiator) needs to be able to check that it's getting AD verification for the DNS results and to be able to splice the DANE data into the TLS verification chain. I don't have time to work on code for this right now (and if I did, Exim would be getting that time first), but anyone who is: feel free to try s2s connections to my server to test, either to my first.lastname @spodhuis.org or, if you're working on code, I'll happily give accounts out for that. Desired account details can be encrypted to PGP key 0x403043153903637F and I'll take care of it. (In case I don't recognise your name, a pointer to your GitHub/similar page so I know you're a coder and not a spammer looking for accounts would be helpful). -Phil
