``In order to detect downgrade attacks, we’re hosting a policy list of mailservers that we know support STARTTLS.’’
That’s centralization, which has a host of issues. How do you know the centralized list is accurate?
Chrome started putting TLS only host list into Chrome, and then FireFox and IE copied them. And it created problems. Why?
Because now if you want to do testing on a sub-domain, the testing has to be done with a signed certificate - self signed isn’t allowed by the browser even for testing. And getting removed from the centralized list is a pain in the arse.
DNSSEC / DANE provides a distributed list of domain names with their fingerprints that the authoritative DNS server has control over, not a centralized list.
You know way way back, the hosts list was a centralized list that was distributed and they switched to DNS because it was better than the centralized list model, easier to modify when needed.
Centralized lists aren’t the solution. DANE is, and that really is what should be promoted.