> On Jan 8, 2019, at 5:02 PM, Grant Taylor
> <[email protected]> wrote:
>
> On 01/08/2019 02:35 PM, Viktor Dukhovni wrote:
>> That's OK, you have working DANE, you mostly don't need MTA-STS.
>
> Wait a minute.
>
> Maybe it's the "mostly" qualifier there, but I thought first S was one of the
> critical parts of MTA-STS (or HSTS for that matter).
>
> Where by the "Strict" meas that "Transport Security" *MUST* be used. As in
> *NEVER* send email *WITHOUT* transport security. Further, treat any situation
> where you could send email without transport security as an error.
DANE for SMTP as defined in RFC7672 as strictly stronger than MTA-STS.
For clients that implement the DANE spec, TLS and authentication are
mandatory with receiving MX hosts that publish TLSA records, and unlike
MTA-STS the signalling is downgrade-resistant even on first contact.
>> MTA-STS is is aimed at receiving domains that face obstacles signing their
>> *own* domain.
>
> I view the signal that transport security *MUST* /strictly/ be used as
> distinctly different than things like DANE. (Perhaps I'm misremembering
> DANE.)
You're misremembering or never looked closely at DANE for SMTP.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
