Thanks for the feedback. I think we were not sure how careful we should be about posting frequently vs spamming people with intermediate drafts. ;)
What text do you find confusing? You mean this? Similarly, we consider the possibility of domains that deliberately > allow untrusted users to serve untrusted content on user-specified > subdomains. In some cases (e.g. the service Tumblr.com) this takes > the form of providing HTTPS hosting of user-registered subdomains; in > other cases (e.g. dynamic DNS providers) this takes the form of > allowing untrusted users to register custom DNS records at the > provider's domain. > > In these cases, there is a risk that untrusted users would be able to > serve custom content at the "mta-sts" host, including serving an > illegitimate MTA-STS policy. On Tue, Apr 4, 2017 at 9:32 PM, <[email protected]> wrote: > > On Tue, Apr 04, 2017 at 04:20:59PM +0200, Daniel Margolis wrote: > > > > Can you explain a little more what you mean? The mitigation is to > publish a > > > new policy with the correct values, so certainly anyone who does so > > > pre-emptively is not likely to fall victim to a DoS attack. More > > > specifically, anyone who is _aware_ of this risk should simply ensure > > > untrusted individuals cannot publish content with a certificate for *. > > > example.com on "mta-sts.example.com"; the risk is for domains like > (say) > > > tumblr.com who may inadvertently allow that. > > > I too found the text in question confusing. It makes no mention > > the attacker is presumed able to obtain certificates for > > "mta-sts.example.com", but otherwise the description does not make > > much sense. The DNS TXT record does indeed facilitate recovery > > after the fact by signalling the availability of an updated policy. > > > I would also like to encourage the authors to post revised drafts > > more frequently. Please see: > > > https://www.ietf.org/mail-archive/web/ietf/current/ > threads.html#101804 > > +1000. > > Ned > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
