cloos at jhcloos.com
Mon Jan 19 18:36:16 CET 2015
>>>>> "VD" == Viktor Dukhovni <ietf-dane at dukhovni.org> writes:
VD> Postfix will not use any "distribution provided" Web PKI CAs when
VD> doing DANE authentication. In particular it maps usage PKIX-EE(1)
VD> to DANE-EE(3).
Perhaps not, but one still gets Trusted in the logs when sending to
sites like goog where each mx has a ca-signed cert.
VD> This is not useful. Neither "may" nor "dane" make any use of such
VD> certificates, they just slow down smpt(8) process startup.
Not every destination has tlsa.
VD> These are used for "secure", but that's for designated destinations,
VD> and should generally be much more selective about which CAs to
VD> trust in that context.
It is a step up from Untrusted.
I do, of course, still prefer that all destinations support dane.
But until then....
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
More information about the dane-users