On 8/28/18 2:25 PM, Viktor Dukhovni wrote: > > >> On Aug 28, 2018, at 2:43 PM, Peter Saint-Andre <[email protected]> wrote: >> >> The MTA-STS work seems very similar to PKIX over Secure HTTP (POSH) as >> defined in RFC 7711: >> >> https://www.rfc-editor.org/rfc/rfc7711.txt >> >> Were the authors aware of POSH and, if so, what was the rationale for >> defining a different approach? > > One important difference is that TLS in SMTP is opportunistic, so > much of the complexity is signalling *whether* to use authenticated > TLS, rather than how to do the authentication.
Agreed. > Secondarily, key fingerprints are fragile, name-based indirection > is more robust, at the cost of trusting the usual panoply of CAs. > Policies that pin names rather than fingerprints are much more > stable, especially because the customer publishes the same MX > hosts in their DNS, so it is data they control. Thanks for the clarification, Viktor! Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
