> On Aug 28, 2018, at 2:43 PM, Peter Saint-Andre <[email protected]> wrote:
>
> The MTA-STS work seems very similar to PKIX over Secure HTTP (POSH) as
> defined in RFC 7711:
>
> https://www.rfc-editor.org/rfc/rfc7711.txt
>
> Were the authors aware of POSH and, if so, what was the rationale for
> defining a different approach?
One important difference is that TLS in SMTP is opportunistic, so
much of the complexity is signalling *whether* to use authenticated
TLS, rather than how to do the authentication.
Secondarily, key fingerprints are fragile, name-based indirection
is more robust, at the cost of trusting the usual panoply of CAs.
Policies that pin names rather than fingerprints are much more
stable, especially because the customer publishes the same MX
hosts in their DNS, so it is data they control.
--
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
