On Wed 2015-07-22 02:55:02 -0400, Keith Moore wrote:
> The way AQRY is written at the moment, a mail domain can outsource its
> AQRY redirect server to a different party than its mail service
> provider, so it's not having to trust their MSP with their private
> keys.
Maybe i've misread the draft, but isn't it possible to avoid trusting
your MSP with any private keys even without the redirection? The MSP
needs to keep a mapping from account→pubkey/cert (and can obviously
spoof this mapping), but no private key access is needed.
Rather, it looks to me like the goal of the redirection is just
operational streamlining -- to make it possible to maintain this mapping
at a different location (or as a separate service) than the canonical
MTA.
can you clarify?
--dkg
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
