SSL certificates for SMTP
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Thu May 24 19:13:46 EDT 2007
On Thu, May 24, 2007 at 01:55:49PM -0600, Peter Saint-Andre wrote:
> Paul Hoffman wrote:
> >At 6:34 PM +0200 5/23/07, Florian Weimer wrote:
> >
> >>But no one is issuing certificates which are suitable for use with
> >>SMTP (in the sense that the CA provides a security benefit).
> >
> >No one? I thought that VeriSign and others did, at least a few years ago.
>
> FWIW, last year we established a dedicated Intermediate Certification
> Authority for issuing digital certificates to admins of XMPP servers:
>
> https://www.xmpp.net/
The main difficulty with SMTP, is that indirection via MX records
maps poorly onto X.509v3 CommonName, and only slightly better onto
SubjectAlternativeName(DNS). Users don't request delivery to an MX host,
they request delivery to recipient at domain.
Indeed DNSSEC + certificates in a trusted DNS would be vastly better,
but not only are we not getting there, we don't even seem to be going
there at all.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list