[Cryptography] Facebook on the state of STARTTLS
Viktor Dukhovni
cryptography at dukhovni.org
Tue May 20 14:08:51 EDT 2014
On Tue, May 20, 2014 at 11:36:45AM -0400, Eric Mill wrote:
> > My point is not that the CA certs are expensive in this case, they
> > could well have been priced quite reasonably, rather the issue
> > is that even at $0.01 they are entirely futile for SMTP. So whether
> > you spend $0.01 or $1,000.00 you still get nothing.
> >
>
> Could you explain why CA certs are futile for SMTP? It's not immediately
> obvious to me. (I'm new to STARTTLS, have never configured it.)
Fortunately, I have the analysis written down:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane#section-1.3
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane#section-1.3.1
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane#section-1.3.2
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane#section-1.3.3
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane#section-1.3.4
start at the top of 1.3 and read through the end of 1.3.4 (which
ends with Goedel's CA PKI theorem, any set of PKIX CAs is either
incomplete or inconsistent).
--
Viktor.
More information about the cryptography
mailing list