Just to make sure I understand, your point was that there's no additional risk introduced by having arbitrary hostnames for the Policy Host, and having the hostname specified via the TXT record?
I tend to agree about the security reasoning (i.e., that having the TXT provide indirection to the Policy Host introduces no real risks), but I think it may still be easier, operationally, to have this be fixed. I think the only real concern I would have is if this has any operational costs: if that special hostname is for some reason already being used in a way which is incompatible with our usage. FWIW, I have a list of 205k mail domains that Viktor gave me, of which zero have an A record for "mta-sts.$domain" (at least when I did a lookup just now). So my guess is that this is not very likely to be already in use, and the simplicity is worth it. Is that reasonable? Objections? I admit this is a handwavy argument. ;) Dan On Sun, May 13, 2018 at 6:17 PM Adam Roach <[email protected]> wrote: > On 5/10/18 10:36 AM, Viktor Dukhovni wrote: > > The real concern is for domains that have MTA-STS policy. A forged > > TXT record should not be able to redirect the policy to a different > > source. If a domain has no MTA-STS policy, then a failure to reserve > > the mta-sts hostname might allow someone to register that subdomain, > > but that someone would still to MiTM the TXT record, and they could > > instead MiTM the MX records. > > > Right. It's the fact that anyone who can replace the TXT record could > also replace the MX record that, I think, undermines the argument about > sending MTAs to the wrong STS policy server. I don't see an attack here > that is more powerful than other attacks that someone with the same > capabilities could launch. > > /a > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
