From 3cf61a54b7ce08389a85f5282fd86ca958b121b7 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <jsha@eff.org>
Date: Fri, 13 Jun 2014 13:57:05 -0400
Subject: [PATCH] Add alternatives section

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 6717f8b72..6e3d4212b 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,10 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d
 
 Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs.
 
+## Alternatives
+
+Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier.
+
 ## Detailed design
 
 Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: