On Wed, May 04, 2016 at 01:38:22AM +0200, Daniel Margolis wrote:
> Yeah, I agree on the two points. But is it safe for us to assume that
> "smtp-sts-policy" is not an untrusted host? This was our concern, given
> examples like dyndns.org or tumblr.com. Of course, an attacker also has to
> do DNS injection, but with insecure DNS that's in our threat model.
I think that tumblr.com and dyndns.org can figure out a way to
avoid delegating that particular prefix.
> This is the argument for imposing this specific (nonstandard) certificate
> requirement (that it match the bare domain), albeit with the implementation
> risk that you point out. I think this is a real tradeoff--the risk of
> someone screwing up cert validation versus the risk of someone ceding the
> host to an untrusted person.
I think the implementation screwup risk is higher. The more vanilla
the design requirements, the more likely implementors are to get
it right.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
