On Thu, May 10, 2018 at 6:07 PM Viktor Dukhovni <[email protected]> wrote:
> > > On May 10, 2018, at 5:39 PM, Ted Hardie <[email protected]> wrote: > > > > The good news is that I don't think there is a practical difference for > those that want to deploy this; they still do the same thing. The bad news > is that Warren's concern about that lazy programmer just checking the > mta-sts.example.com host without looking for the TXT record will > eventually turn into a security issue, but that will be bad code, not a bad > specification. > > What might help is that not many lazy programmers get to write MTA > implementations, particularly with fancy bells and whistles like > MTA-STS. Yup, I was more concerned about this becoming a pattern with gets copied and reused in other protocols, and then it comes back to bite us... > They're more likely to write SUBMIT clients, which are > not in scope for this specification. > > And thus, indeed "mta-sts.example.com" has no special meaning unless > the TXT record is also present. > > So this feature of the spec is somewhat unfortunate, but perhaps > the right tradeoff vs. limiting deployment to domains that are > able to serve the policy from "https://example.com";. Folks > operating organizational websites can speak more to how much > of a burden such a constraint might be. > I *suspect* that people won't like this; serving anything from a naked domain makes me twitch, but a: I'm old fashioned and b: it seems that all the cool kids are doing it, so I may be wrong. Actually, does anyone know of a "major" site which *doesn't* serve something (even if it is just a redirect) from just the naked domain? W -- > Viktor. > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
