> On Tue, Apr 04, 2017 at 04:20:59PM +0200, Daniel Margolis wrote: > > Can you explain a little more what you mean? The mitigation is to publish a > > new policy with the correct values, so certainly anyone who does so > > pre-emptively is not likely to fall victim to a DoS attack. More > > specifically, anyone who is _aware_ of this risk should simply ensure > > untrusted individuals cannot publish content with a certificate for *. > > example.com on "mta-sts.example.com"; the risk is for domains like (say) > > tumblr.com who may inadvertently allow that.
> I too found the text in question confusing. It makes no mention > the attacker is presumed able to obtain certificates for > "mta-sts.example.com", but otherwise the description does not make > much sense. The DNS TXT record does indeed facilitate recovery > after the fact by signalling the availability of an updated policy. > I would also like to encourage the authors to post revised drafts > more frequently. Please see: > https://www.ietf.org/mail-archive/web/ietf/current/threads.html#101804 +1000. Ned _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta