[Cryptography] Digital Certificate Forensics: Clinton Email Server

[Viktor Dukhovni]

On Wed, Mar 11, 2015 at 08:21:01AM -0700, Henry Baker wrote:

> Digital certificates and their corresponding cryptographic keys
> are incredibly powerful.  They solved the biggest barriers to using
> the Internet: how do I know that a website is what it says it is
> and that communications with the site are private?

Since we're talking about email, one must remember that email isn't
just stored on the server in question, it travels via SMTP between
that server and correspondents in other domains.

The MX service for clintonemail.com is provided by third-party
service that likely handles pesky anti-spam/anti-virus filtering
before forwarding the email onward.

The transmission via SMTP is not necessarily encrypted, and even
when TLS is used, it is generally opportunistic and unauthenticated.

So my conclusion is that Venafi are doing some unsurprising
opportunistic marketing, and the factual contribution to the story
has little merit.

TLS certificates don't protect data at rest (a key risk for email),
and very rarely protect SMTP traffic against active attacks
(especially before June 2013).

-- 
	Viktor.