On 12 April 2018 at 00:49, Ned Freed <ned.fr...@mrochek.com> wrote:
>
> > This workload is what I consider to be the antithesis of "intuitively
> > simpler".
>
> And once again I'm afraid what your intution is telling you is exactly the
> opposite of my experience. For me implementing this using a separate query
> server actually makes things much easier, not harder, in part because I'm
> not
> constrained to code things in C/C++, which is what the SMTP client is
> coded in.
>
> You might want to sit down and try mocking this up in, say, node.js. It may
> change your mind about the approach.
>
> And the client part is going to be maybe 50 lines of C code. Code of a sort
> I've written many, many, many times before. Hardly difficult.
>
>
That's all well and good, but people are saying that DANE is simple enough
to implement too.


> > > > c) Both/either of the above.
> > >
> > > > I assume the logic behind allowing a wildcard-to-wildcard match is to
> > > allow
> > > > a Google user to simply specify ".googlemail.com" and ".l.google.com"
> as
> > > > their MX identity patterns; however it feels as though Google could
> > > simply
> > > > use a known name within the certificate for all their receiving MTAs,
> > > > irrespective of the DNS records involved. This, of course,
> presupposes
> > > that
> > > > the administrator of the mail domain somehow does not know the
> precise
> > > > names of the MTAs used in their own DNS records.
> > >
> > > > I further assume the logic in mandating matches against dNSName SANs
> is
> > > > because these are readily available; however sRVName SANs, by
> restricting
> > > > their use to a particular service, have the advantage that customers
> > > giving
> > > > these to their service provider might be deemed more acceptable.
> > >
> > > A comparable effect can be achieved by using a subdomain root reserved
> for
> > > email server use.
> > >
> > > So it's a choice between an easily implemented naming convention  and a
> > > bunch
> > > of PKIX esoterica. This does not strike me as a difficult choice.
> > >
> > >
> > Well, being *able* to use sRVName would be nice at least. The
> specification
> > as written prevents it, which seems unfortunate.
>
> I have to say I like the simplicity of the current specification, and I
> don't
> want to see added complexity in this regard without a compelling reason for
> adding it.
>
>
OK, as long as you understand this embeds a hack into PKIX.


> > > >    o  MTA-STS Policy: A commitment by the Policy Domain to support
> PKIX
> > > >       [RFC5280] authenticated TLS for the specified MX hosts.
> > >
> > > > Impressively, by my reading, the commitment is for the Policy Domain
> to
> > > > support PKIX for all SMTP; and not just for specified hosts.
> > >
> > > Of course that's the commitment. How could it be otherwise?
> > >
>
> > Then that needs rephrasing, because I didn't see any "Of course" about
> it.
>
> > A commitment by the Policy Domain to support PKIX [RFC 5280]
> authenticated
> > TLS, using reference identifiers as listed.
>
> > (I'm trying to guess what was meant by "for the specified MX hosts".)
>
> The entire point of the mechanism is to say that the policy domain supports
> and wants SSL/TLS transfers and that the servers have validated certs
> with the specified names. So I really don't understand what you're getting
> at here.
>

It says "MX host", which, as near as I can guess, is used elsewhere to mean
a host used as a Mail Exchanger, and not either of the "MX Hostname" or the
"Reference Identifier".

Dave.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

Reply via email to