> On May 15, 2016, at 8:58 AM, Daniel Margolis <[email protected]> wrote:
>
> Interesting point.
>
> I think you're right that this would work for many (most? all?) CAs that do
> email-based domain ownership validation. Whether this is within the scope of
> what STS should address (in that we generally are assuming CA certs are
> trustworthy) I am not sure. And domain walking (as Viktor said) seems a bit
> crude to me, after all.
Domains with wildcard MX records that want active-attack resistant SMTP
transport security should do DANE. This works without requiring any
parent-domain policy walking.
*.example.net. IN MX 0 smtp.example.net.
smtp.example.net. IN A 192.0.2.1
_25._tcp.smtp.example.net. IN TLSA 3 1 1 <server-public-key-digest>
_25._tcp.smtp.example.net. IN TLSA 2 1 1 <issuer-piblic-key-digest>
DNSSEC protects the integrity of the wildcard MX and the TLSA RRs for the shared
MX host. No kludgey tree-walking required.
STS should not specify parent-domain lookups, it is already complex/fragile
enough.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
