Loading ...
Sorry, an error occurred while loading the content.

301318Re: Individual smtpd_tls_ask_ccert?

Expand Messages
  • BlueStar88
    Jul 29, 2014
      Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni:
      > On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote:
      >> First we should extend DNS using another MX-like entry, to be able to
      >> define authoritative MTA client nodes for a specific domain, so we have
      >> something to stick on.
      > This was abandoned in favour of SPF, DKIM and DMARC.
      > http://tools.ietf.org/html/draft-crocker-csv-csa-00
      > It was an anti-spam measure, and has no direct bearing on TLS client
      > authentication.

      That RFC is from 2005 and was considered for anti-spam, as you've said.
      But does that mean, it is buried forever?
      If we have a new - and quite serious - purpose here (having mutual TLS
      security in mind), it should be revived to support that.

      If there's another way, I'm fine with that. But we have to improve here
      by any means, to keep up with the ongoing arms race.
      Having neat things like DNSSEC and DANE to backup up TLS security
      doesn't make much sense, if only one party/peer of each connection can
      uphold a certain security level.

      BlueStar88 (bluestar88@...)
    • Show all 25 messages in this topic