Re: [Uta] STS and SNI (was Re: Interaction between MTA-STS and DANE)
> On Oct 27, 2017, at 12:39 PM, Alberto Bertogli <[hidden email]> wrote:
> So to me you are arguing to add a non trivial amount of complexity to
> certificate validation, and make it differ significantly from widely
> used and tested logic; in exchange for making it easier for <1% of the
> hosts to potentially adopt STS.
There are more reasons:
* Many domains will want to be able to change the list of MX hosts
in DNS without having to remember to update the policy definition,
which I can assure you they are going to forget to do... To
make that work they can (as written) simply specify:
And then any host in ".example.com" will do, which will be secure
enough for the needs of SOHO domains without well-staffed dedicated
operations teams and robust operational discipline.
* With the names in the policy just patterns to match in the remote
certificate, fewer implementations will botch the loop elimination
logic, which is likely to happen when the list is a verbatim
duplication of the MX RRset in DNS, and it becomes tempting to
prune DNS responses at the earliest possible moment.