[Cryptography] Dark Mail Alliance specs?
tpb-crypto at laposte.net
tpb-crypto at laposte.net
Tue Mar 25 20:28:52 EDT 2014
> Message du 26/03/14 00:50
> De : "Viktor Dukhovni"
> A : cryptography at metzdowd.com
> Copie à :
> Objet : Re: [Cryptography] Dark Mail Alliance specs?
>
> The good part of nobody checking SMTP certificates is that deployment
> is easy. On the server just spin-up a self-signed cert and off
> you go. On the client no root CAs to worry about, just enable
> opportunistic TLS and harden the traffic against passive eavesdropping.
>
> If you want security in the face of active attacks on SMTP, you
> need DNSSEC and DANE. At the moment this requires a Postfix 2.11.0
> client with a local validating resolver and a remote server with
> MX records, MX host addresses and MX host TLSA records in a DNSSEC
> signed zone.
>
Thanks for the clarifications, I'm not a sysadmin, lol.
How about a process that remotely checks the key signature every few minutes from different countries to see if it is being spoofed and then shut closed the SMTP port if a problem like that is detected?
Wouldn't that make the GCHQ quantum-attack less practical?
More information about the cryptography
mailing list