On Sat, Oct 31, 2015 at 06:28:16AM +0100, Aaron Zauner wrote: > That article is referencing another paper, presented at IMC15 by > UMichigan, UCI and Google researchers, publicly available over here: > http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf > > ..there're also problems with some of the details in the article. > > (Yeah, we haven't yet got any media exposure :)) Thanks for the clarification, the coincidence in the timing led me astray into linking the article with the wrong paper. > > I cringe every time someone bemoans the lack of "valid" certificates > > in SMTP, such certificates are largely a worthless fashion statement. > > (Some domains have bilateral arrangements with business partners > > to verify email traffic certificates, but these arrangements are > > exceedingly rare). > > Yes. But even for mail there're valid points to use official > certificates (i.e. nodes clients talk to). Yes, WebPKI are well suited for submission, POP and IMAP. > For MTA to MTA > communication various solutions have been suggested, to the best of > my knowledge none is widely deployed so far. Yes, none are even lightly deployed. At some tens of thousands of domains, DANE deployment is still rather negligible, I am hoping that will start to change in 2016. > > Hence, DANE for SMTP and related efforts. No mass-scale use of > > end-to-end encryption is looming to save the day, so transport > > security is finally getting the attention it deserves. My DANE > > survey is at 9000 domains and counting, with adoption picking up > > the pace a bit lately. Some domain hosting providers have implemented > > tens of thousands of additional DANE domains that do not show up > > in my surveys. It is still very early in the process, but I am > > cautiously optimistic. > > Is data on your DANE survey publicly available anywhere or are there > more details on that? I'd be very interested in the results. I am not doing research, so the results are not intended for publication. Rather I am monitoring deployment, and clearing hurdles to deployment by notifying operators of nameservers that handle DNSSEC poorly and operators of domains who publish incorrect or stale TLSA records. In ~September last year I was able to identify only ~200 DANE domains and around 4000 domains whose DNS breaks DANE. Now it is 9000+ DANE domains, and under 100 domains whose DNS breaks DANE. Of the 9000 domains, 6200 are hosted by 3 registrars, most of the rest are domains operated by individual "hobbyists". However 27 domains (up from 24 two weeks ago) are "large enough" to appear to Google's email transparency report. At least 40% of the domains are registered in Germany. -- Viktor.