On 3/27/17 1:21 AM, Viktor Dukhovni wrote: >> On Mar 27, 2017, at 4:08 AM, Federico Santandrea - Diennea >> <[email protected]> wrote: >> >> >> Let's suppose the sending MTA finds the MTA-STS TXT record, which states >> the receiving domain has an MTA-STS policy. The draft says "To discover >> if a recipient domain implements MTA-STS, a sender need only resolve a >> single TXT record". But what happens when the sending MTA can't fetch >> the actual policy via HTTPS? > Keep it simple. It is just as easy to block access to the TXT record as > to block access to the HTTPS site. The TXT record is just an efficiency > aid, so that MTAs don't have to attempt costly HTTPS connections (that > typically time out) to domains with no STS records. > Actually, it's easier to block access to the TXT record, because it's obvious in the clear that it's an MTA-STS TXT record, and an MITM that is actively interfering with STARTTLS would likely be able to block retrieval of the TXT record. In contrast, it's probably harder to block the HTTPS site without potentially causing collateral damage.
The TXT record is more than an efficiency aid if clocking it causes the policy not to be discovered at all. OTOH, if it is used just to discover policy updates, we wouldn't have that problem. But that would increase the traffic load on the HTTPS server considerably. -Jim _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
