> On May 1, 2016, at 5:00 PM, John Levine <[email protected]> wrote:
>
>> So using the domain as-is and dealing with any provisioning politics
>> looks to be the only sensible option.
>
> Not to put Daniel on the spot, but since he happens to work for one of
> the largest mail providers in the world, would it be a problem to put
> the STS stuff at URLs like these?
>
> https://google.com/.well-known/sts-policy
> https://gmail.com/.well-known/sts-policy
>
> My impression from the converstation in B.A. was that it'd be
> a big problem.
We need to put the organizations behind this draft on the spot to
not shirk this issue. There's no free lunch. I think it is fair
to ask the email folks at the large providers to negotiate with
others in their organization to deploy this in a manner that results
in a simpler security model.
SRV is very much not "webby". HTTPS libraries don't do SRV lookups,
or else when asked to connect to a hostname resolved via SRV outside
the library, will authenticate the insecurely obtained target name.
So either the above ".well-known", or a kludgey reserved hostname
prefix, but there's no precedent for such reservations.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
