On 02/12/2015 15:54, John R Levine wrote:
If there's no SRV-ID, you don't need SNI since all 100,000 domains
point at the same server name.
Yes, but then they can't be verified automatically by MUAs, so each
of them would need to be approved manually by users.
Aren't we back to RFC 6186? If the MUA developers are going to open
up the code to add new checks for the server's certificate, why not
also add checks for the appropriate SRV records? I realize that not
everyone does DNSSEC, but the SRV check will be a lot more effective
than yet another baffling warning that ends with "check OK if you ever
want to see your mail again".
If you can suggest a couple of sentences to add, that would be appreciated.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
