307 digit number factored

Florian Weimer fw at deneb.enyo.de
Tue May 29 05:30:06 EDT 2007


* Victor Duchovni:

>> But no one is issuing certificates which are suitable for use with
>> SMTP (in the sense that the CA provides a security benefit).  As far
>> as I know, there isn't even a way to store mail routing information in
>> X.509 certificates.
>
> There is no need to store routing information:
>
> 	http://www.postfix.org/TLS_README.html#client_tls_limits
> 	http://www.postfix.org/TLS_README.html#client_tls_levels
> 	http://www.postfix.org/TLS_README.html#client_tls_verify
> 	http://www.postfix.org/TLS_README.html#client_tls_secure
>
> The short summary is that full security is only available when the
> receiving MX hosts have certs that match the recipient domain,

Which runs into the same problem as HTTP because the set of recipient
domain names is not known at the time the TLS handshake occurs.

> or the sender is willing to manually (in his MTA configuration) bind
> the recipient domain to the subject names (or in 2.5 fingerprints)
> of the appropriate MX hosts.

And if you use fingerprints, there is no need for PKI.  And in my
experience, PKI doesn't buy you that much if you need to configure
per-client privileges and things like that.  Using the DN instead of a
fingerprint doesn't seem to be worth the trouble.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list