[Cryptography] Dark Mail Alliance specs?

tpb-crypto at laposte.net tpb-crypto at laposte.net
Tue Mar 25 20:28:52 EDT 2014

> Message du 26/03/14 00:50
> De : "Viktor Dukhovni" 
> A : cryptography at metzdowd.com
> Copie à : 
> Objet : Re: [Cryptography] Dark Mail Alliance specs?
> The good part of nobody checking SMTP certificates is that deployment
> is easy. On the server just spin-up a self-signed cert and off
> you go. On the client no root CAs to worry about, just enable
> opportunistic TLS and harden the traffic against passive eavesdropping.
> If you want security in the face of active attacks on SMTP, you
> need DNSSEC and DANE. At the moment this requires a Postfix 2.11.0
> client with a local validating resolver and a remote server with
> MX records, MX host addresses and MX host TLSA records in a DNSSEC
> signed zone.

Thanks for the clarifications, I'm not a sysadmin, lol.

How about a process that remotely checks the key signature every few minutes from different countries to see if it is being spoofed and then shut closed the SMTP port if a problem like that is detected?

Wouldn't that make the GCHQ quantum-attack less practical?

More information about the cryptography mailing list