301318Re: Individual smtpd_tls_ask_ccert?
- Jul 29, 2014Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni:
> On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote:That RFC is from 2005 and was considered for anti-spam, as you've said.
>> First we should extend DNS using another MX-like entry, to be able to
>> define authoritative MTA client nodes for a specific domain, so we have
>> something to stick on.
> This was abandoned in favour of SPF, DKIM and DMARC.
> It was an anti-spam measure, and has no direct bearing on TLS client
But does that mean, it is buried forever?
If we have a new - and quite serious - purpose here (having mutual TLS
security in mind), it should be revived to support that.
If there's another way, I'm fine with that. But we have to improve here
by any means, to keep up with the ongoing arms race.
Having neat things like DNSSEC and DANE to backup up TLS security
doesn't make much sense, if only one party/peer of each connection can
uphold a certain security level.
- << Previous post in topic Next post in topic >>