Daniel Margolis пишет: > Yes, agreed. To be very slightly nitpicky, I would say this is ever so > slightly worse in that even if the CA has sent mail to example.com > <http://example.com> in the past, they probably did not send mail to > "mx1.example.com <http://mx1.example.com>", so the opportunity to > create a bootstrapping scenario remains. But in general I think we're > saying the same thing--that this is a problem with domain > verification, and not something to solve here.
You can not rely on CA for SMTP security and deny the problem of insecure validation due to inability to provide secure domain verification via SMTP by CA in the same time. The problem of domain verification can (and is intended to) be mitigated with STS for http/smtp validation, but it means CA must be capable to use STS with STS preloading or STS precaching. You can require CAs to e.g. use Mozilla STS preloaded list to be included into Mozilla root CAs in future, but STS policy preloading is only useful if you can specify policy for subdomains. -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
