Am 30.09.18 um 09:15 schrieb Viktor Dukhovni: >> On Sep 30, 2018, at 2:56 AM, Hanno Böck <[email protected]> wrote: >> >>> Does that really mean I have to setup thousand+ virtual hosts >>> https://mta-sts.domain1...1000.example? Or are there other strategies >>> for hosting provider? >> >> This seems to be the one thing that is confusing a lot of people about >> MTA-STS. The answer is yes you have to, no, there are no other >> strategies. >> >> The policy host is the thing that ties your domain name's identity to >> your policy. > > This is one way in which DANE is less onerous. For a domain with > signed MX records, the TLSA records are in the provider's zone > at _25._tcp.the.mxhost.example. Allowing just one TLSA RRset > managed by the provider to take care of all the (signed) hosted > domains. This works even when the MX hosting provider does not > control the customer's domain, and is not in a position to > obtain the requisite certificates. In that case setting up the > MTA-STS policy is up to the customer. >
Hello, thanks for clarification. As a side effect one could enumerate domains supporting MTA-STS just by watching the CT logs. Andreas _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
