On Tue, Apr 04, 2017 at 04:20:59PM +0200, Daniel Margolis wrote:
> Can you explain a little more what you mean? The mitigation is to publish a
> new policy with the correct values, so certainly anyone who does so
> pre-emptively is not likely to fall victim to a DoS attack. More
> specifically, anyone who is _aware_ of this risk should simply ensure
> untrusted individuals cannot publish content with a certificate for *.
> example.com on "mta-sts.example.com"; the risk is for domains like (say)
> tumblr.com who may inadvertently allow that.
I too found the text in question confusing. It makes no mention
the attacker is presumed able to obtain certificates for
"mta-sts.example.com", but otherwise the description does not make
much sense. The DNS TXT record does indeed facilitate recovery
after the fact by signalling the availability of an updated policy.
I would also like to encourage the authors to post revised drafts
more frequently. Please see:
https://www.ietf.org/mail-archive/web/ietf/current/threads.html#101804
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
