> * The draft attempts to introduce SRV-ID as a security mechanism > for mail services. SRV-ID does not require DNSSEC, but does > require that CAs be able to figure out which service providers > are legitimately hosting a given domain. > >Is the objection that this is not realistic? I can see that it >won't always be an option. There is a class of service providers >for whom this is possible, namely those that are also WebPKI CAs. >So GoDaddy and the like would be able to issue SRV-ID certificates >for domains they host. Is that enough to justify including the >SRV-ID use-case in the draft? Given the limited number of organizations that are both CAs and mail hosts, it seems a poor idea to tell people to implement something which will at best be flaky. >Or is it the case that you'd prefer text that says that the problem >has no broadly workable solution in the absence of DNSSEC? Well, it's true. R's, John