> On May 10, 2018, at 5:39 PM, Ted Hardie <ted.i...@gmail.com> wrote: > > The good news is that I don't think there is a practical difference for those > that want to deploy this; they still do the same thing. The bad news is that > Warren's concern about that lazy programmer just checking the > mta-sts.example.com host without looking for the TXT record will eventually > turn into a security issue, but that will be bad code, not a bad > specification.
What might help is that not many lazy programmers get to write MTA implementations, particularly with fancy bells and whistles like MTA-STS. They're more likely to write SUBMIT clients, which are not in scope for this specification. And thus, indeed "mta-sts.example.com" has no special meaning unless the TXT record is also present. So this feature of the spec is somewhat unfortunate, but perhaps the right tradeoff vs. limiting deployment to domains that are able to serve the policy from "https://example.com";. Folks operating organizational websites can speak more to how much of a burden such a constraint might be. -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
