On 3 dec. 2013, at 22:56, Jesse Thompson <[email protected]> wrote:
> On 12/3/2013 11:24 AM, Peter Saint-Andre wrote: >> We need POSH for authenticated encryption. If people think that >> unauthenticated encryption is good enough for some purposes, then they >> don't need POSH or DANE/DNSSEC. Personally I'd prefer authenticated >> encryption, so I still think that POSH is useful in the short to >> medium term and DANE/DNSSEC is useful in the long term. > > Maybe this was already said, but it's a little unclear. > > So, it's OK that my domains score an "F" for failing the "authenticated > encryption" related tests at the IM Observatory? Having an "F" does not mean > that we will be cut off from the network on the test days? > > Jesse From the manifesto: o prefer authenticated encryption (via digital certificates) for server-to-server connections; if authenticated encryption is not available, fall back to opportunistic encryption with identity verification using Server Dialback So if you do not provide a way for other servers to authenticate you properly, you should keep dialback support enabled. Of course there might be servers that want to enable encryption *and* secure authentication, but that would be beyond what the manifesto calls for. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
