[Cryptography] Even when they get it right they get it wrong

Viktor Dukhovni cryptography at dukhovni.org
Wed Jun 4 23:28:19 EDT 2014


On Wed, Jun 04, 2014 at 09:52:23AM -0400, Jerry Leichter wrote:

> Certificates for email servers are basically pointless, but still
> ... Yahoo's mail cert expired this morning at 8.  (Apple's Mail.app
> complains about it and asks me to confirm before allowing a
> connection.)

On an IMAP or submission server, certificates are maximally
applicable, since unlike a browser which visits every web site on
the 'Net, the MUA connects to just one server for each of IMAP and
SMTP.  If PKIX should work right anywhere, it should be this use-case.

> Sigh.

Indeed an embarrasing operational failure.  This is why DANE-EE(3)
associations won't have explicit expiration times (the dates in the
certificate will be ignored).

-- 
	Viktor.


More information about the cryptography mailing list