|
|
|
|
|
|
by mike-cardwell
4262 days ago
|
|
|
I'm not sure what proportion of servers use TLS. I imagine a lot of mail would go missing if you started to require it though. IIRC, Google started publishing numbers somewhere. The good thing about involving DNSSEC+DANE is that, even the first time an SMTP server connects to another, it knows that it must use TLS and must expect a particular certificate. With HSTS you don't get that protection on the first connection. |
|
|
I guess DANE (with or without DNSSEC) could also be used to cover the first connection, but I guess I'd prefer a world where the previous connection was used as the primary point of trust (the HSTS+TACK approach) rather than the "trusted root" (DNSSEC or CA).