>>>>> "Patrik" == Patrik Fältström <paf@xxxxxxxxxx> writes:
>> On 25 feb 2015, at 19:56, Sam Hartman <hartmans-ietf@xxxxxxx> wrote:
>>
>> I disagree that SRV or MX introduces similar complexity into
>> standards.
Patrik> Sam, I feel I need to understand this.
Patrik> For MX, you have to start with a URI like this:
Patrik> mailto:paf@xxxxxxxxxx
I'm sorry, I don't understand how a URI is involved in MX processing.
I don't think any of the specs are written in terms of URIsand I find
thinking of MX processing in terms of URIs to be confusing.
For email, we've never really had wide-scale deployment of TLS that does
certificate validation.
Across the Internet, starttls tends to provide something similar to
opportunistic security.
Within an organization where specific certificates are being validated
to specific anchors, I'd be mildly surprised if MX processing was a
significant part of the configuration.
I suspect there's not much uniformity about whether you check the
queried domain or the resulting domain for the certificate, and I
suspect that you'll probably need MTA-specific configuration to get cert
validation to be particularly useful with SMTP. If I were writing an
MTA, I'd expect the cert to match what went into the MX query, not what
came out. However, I'd have a variety of configuration options all
defaulting to not checking the certificate at all.