John Levine via NANOG <nanog@lists.nanog.org> writes:
MTA-STS does the same thing more kludgily for people who don't like DNSSEC.
What if I don't like public CA certificates for email servers? Will MTA-STS stay optional, or will it be "optional" like DKIM and SPF? AFAICS, we did not need MTA-STS. It is an attempt to solve the same problem DANE solved a long time ago, but adding several new problems: - server and client must agree on trusted CAs, but the list is unspecified - the spec mandates not only a special purpose DNS policy label ("_mta-sts"), but also special purpose host name ("mta-sts") - the latter name must also have a certificate - configuration and operation is way more complicated than DANE, requiring a web server in addition to DNS configuration - the web server is a single point of failure in the design, and must be duplicated in different ASes if you want anything resembling DANE robustness - the web server is just smoke and mirrors, adding nothing to the provided trust. MTA-STS is only as trustworthy as the _mta-sts and mta.sts DNS records. DNSSEC is required in practice if you are going to trust them. But why do you need MTA-STS if you can do DANE? These problems are worse for small sites than for the dominant players. Just like DMARC/SPF/DKIM policies, small sites are mistrusted unless they implement *all* available protection mechanisms. So they can't choose between DANE and MTA-STS. They have to do both. And where the dominant players run their own CA which they force others to trust, the small site has to carefully select some CA which is trusted by every MTA-STS service out there. The operational cost of a redundant web service is pretty much independent of email volume. It will be significant if you run a low volume email server. I guess it is possible that this is just an accident. Hanlon's razor etc. But traditional Internet email handled by small single domain servers has been under attack for a long time. The effect of MTA-STS is yet another hard blow. And given DANE, this is the *only* effect. Why don't we just deprecate MTA-STS and make DANE mandatory, while it is still possible? Bjørn