IETF Logo Mail Archive

Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

Tony Finch <dot@dotat.at> Wed, 03 November 2010 23:21 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E91EF3A6848 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 16:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.203
X-Spam-Level:
X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4oD8qaSHNxg4 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 16:21:14 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by core3.amsl.com (Postfix) with ESMTP id C13353A67D0 for <keyassure@ietf.org>; Wed, 3 Nov 2010 16:21:14 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from 87.114.184.140.plusnet.thn-ag1.dyn.plus.net ([87.114.184.140]:50853 helo=[192.168.1.5]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:AES128-SHA:128) id 1PDmds-0005sP-qI (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 03 Nov 2010 23:21:20 +0000
References: <p0624086dc8ef9feba340@10.20.30.151> <B6CEBA10-0198-4AB3-B6D4-E7D835FD47F1@princeton.edu> <AANLkTin-CqduBX5ibUCb0+1Lr-GXJ-KGd8YxzjUTPEO7@mail.gmail.com> <CA58B286-8F9D-423D-B9BF-91347F6FD960@Princeton.EDU> <1288462840.1977.4.camel@mattlaptop2.local> <69345A7D-4834-40E4-99C2-EDF3FC2DDEB3@Princeton.EDU> <1288469609.1977.178.camel@mattlaptop2.local> <EAC89FC3-184C-449C-AE5B-E3950578ED30@Princeton.EDU> <1288477403.1977.319.camel@mattlaptop2.local> <m3wroz6x81.fsf@jhcloos.com> <20101031010146.GA4930@LK-Perkele-V2.elisa-laajakaista.fi> <m3hbg355hv.fsf@jhcloos.com> <A0A8C24A-D042-4412-B6D5-35909495A83A@kirei.se> <alpine.LSU.2.00.1011031639050.12004@hermes-2.csi.cam.ac.uk> <D934640B-B49A-49E3-B2E6-29C14F220AA2@kirei.se>
In-Reply-To: <D934640B-B49A-49E3-B2E6-29C14F220AA2@kirei.se>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <BFAFBFD1-8B68-4483-8482-EC664E999632@dotat.at>
X-Mailer: iPhone Mail (8B117)
From: Tony Finch <dot@dotat.at>
Date: Wed, 03 Nov 2010 23:21:20 +0000
To: Jakob Schlyter <jakob@kirei.se>
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Steve Schultze <sjs@Princeton.EDU>, "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 23:21:16 -0000

On 3 Nov 2010, at 20:32, Jakob Schlyter <jakob@kirei.se> wrote:
> 
> I most likely do not have the same key material for all SMTP servers.

There's nothing stopping you from having multiple cert records alongside your MX records. It's easy to ensure the DNS is correct if your MXs are managed as a coherent service. Old style secondary MXs cause significant operational problems and no longer have any advantages.

Tony.
--
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/

v2.23.0 | Report a Bug | By Email