> On May 15, 2016, at 11:40 PM, Daniel Margolis <[email protected]> wrote:
>
> Domains with wildcard MX records that want active-attack resistant SMTP
> transport security should do DANE.
>
> I don't think the attack has anything to do with wildcard MXs, though I may
> be mistaken.
The original discussion was how to provide transport security for domains that
have lots of sub-domains receiving mail via a wildcard MX record. My point is
that DANE handles this.
As for CAs, their DV validation outbound MTAs very rarely (typically just once
and never again) send traffic to any given domain, and STS policy simply does
not help with first contact against an active attack at time of certificate
issue.
I don't think STS can address this problem, certificate transparency is your
main hope for catching the problem after the fact.
One might attempt to convince the CAs to implement DNSSEC-validating resolvers
and do DANE outbound... Then some domains would have better protection against
DV forgery. Though there's the leap of faith via unauthenticated HTTPS.
DV certificate issuance is fundamentally insecure against MiTM at time of issue.
--
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
