Re: [Uta] STS and SNI (was Re: Interaction between MTA-STS and DANE)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [Uta] STS and SNI (was Re: Interaction between MTA-STS and DANE)

Viktor Dukhovni


> On Oct 27, 2017, at 12:39 PM, Alberto Bertogli <[hidden email]> wrote:
>
>
> So to me you are arguing to add a non trivial amount of complexity to
> certificate validation, and make it differ significantly from widely
> used and tested logic; in exchange for making it easier for <1% of the
> hosts to potentially adopt STS.

There are more reasons:

* Many domains will want to be able to change the list of MX hosts
  in DNS without having to  remember to update the policy definition,
  which I can   assure you they are going to forget to do...  To
  make that work they can (as written) simply specify:

        mx: .example.com

  And then any host in ".example.com" will do, which will be secure
  enough for the needs of SOHO domains without well-staffed dedicated
  operations teams and robust operational discipline.

* With the names in the policy just patterns to match in the remote
  certificate, fewer implementations will botch the loop elimination
  logic, which is likely to happen when the list is a verbatim
  duplication of the MX RRset in DNS, and it becomes tempting to
  prune DNS responses at the earliest possible moment.

--
--
        Viktor.