On Tue, May 03, 2016 at 11:57:40PM +0200, Daniel Margolis wrote:
> > By "TXT" resolution do you mean publishing the target URI in the
> > DNS TXT record? If so, I thought that idea was abandoned.
>
>
> It was, but only because we had been thinking we would just use a
> hard-coded hostname instead. The two have the same security properties. (Of
> course the TXT approach and the SRV approach are basically equivalent.)
>
> In any event, since I think we all agree that the certificate probably has
> to match the bare TLD, it seems like the discussion could be rephrased to
> be closer to how John just formulated it, i.e. the security and operational
> tradeoff of:
If a fixed (but valid as a hostname) prefix is specified, then it
neither needs to be sent via TXT or SRV records, nor does the
certificate have to patch the parent domain, and it would be better
if the certificate matched the authority of the implicit HTTPS URI.
Thus, though the name would be not exclusively reserved for STS,
the simplest approach if sub-domains are so important is to choose
a prefix, say "smtp-sts-policy", and when sending mail to example.com,
look for policy at something close to:
https://smtp-sts-policy.example.com/.well-known/smtp-sts-policy
with a certificate that matches the prefixed name.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
