On Wed, Jul 09, 2014 at 12:27:18PM +0100, Stephen Farrell wrote:
> And even though we do IMO have a really good success
> story for OS with recent deployments of STARTTLS for MTA-MTA SMTP,
> it'll be interesting to see if the non-authenticated cases there
> transition towards authenticated endpoints or not over time so we
> might be better off waiting a while to find out stuff like that
> before writing BCP text.
Transition to PKIX authentication is unrealistic for SMTP.
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10#section-1.3
so any large-scale use of authenticated STARTTLS with SMTP is
predicated on DANE adoption, which is predicated on DNSSEC deployment.
While I am hopeful that the pace DNSSEC adoption will pick up, this
will take some time. It would help if more applications than a
single MTA took advantage of DANE, motivating broader DNSSEC adoption.
The SMTP problem is generic to any protocol that is opportunistic
and uses DNS indirection (MX, SRV, ...).
Thus, while Facebook's SMTP security report seems to suggest that
they expect or hope for SMTP authentication via CA certificates to
become more prevalent, they are misguided. PKIX CA authentication
with SMTP without per-destination manual settings gives at best
illusory security. There is little point in deploying public CA
issued certs on public MX hosts unless one has static reciprocal
authentication arrangements with partner domains.
--
Viktor.