Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..

From: Mark Crispin (MRC_at_CAC.Washington.EDU)
Date: 04/03/05


Date: Sat, 2 Apr 2005 21:10:14 -0800

On Sun, 3 Apr 2005, Per Hedeland wrote:
> I'm afraid you're still missing my point - I'm not talking about what
> the software does or can do, but about what is actually done "out
> there".

Pine is an example of SMTP-TLS software that is "out there". Our
statistics indicate that there are a rather large number of users. The
c-client library, used by Pine, is also used by other programs (e.g.
Mahogany) so they have the same capabilities.

Although this is not enough data to claim that "all SMTP-TLS capable MUAs
validate certificates", it is enough to debunk the claim that "SMTP-TLS
capable MUAs do not validate certificates."

> But only if the SMTP servers have certificates signed by "official" CAs,
> of course. How common do you think that is, in terms of percentage of
> MTAs offering STARTTLS?

All of the MTAs (more accurately, MSAs) that offer STARTTLS that I access
have real certificates.

> Well, you're obviously talking about the procedures at UW here - so we
> can conclude that UW is one place where certificate validation is taken
> seriously. That still doesn't say anything about how common it is in
> general.

We talk a lot with our peer institutions. Many of them are doing the same
thing that we are. We have serious problems both with spam and with RBLs
listing us from time to time because student PC got a spam-engine worm.
Consequently, we and our peer institutions are rapidly closing all means
by which a user on our networks can transmit email without authentication.

Let's put it this way; I doubt very much that we or our peers will end up
with anything less than mandatory authentication and mandatory certificate
validation.

The whole reason why certificate validation is needed is to protect the
session from man-in-the-middle and other attacks. There is no point to
requiring authentication if it is trivial for bad guys to steal
authentication.

> I don't have any concrete evidence to support my belief - it's mostly
> based on implicit information gleaned from newsgroup postings and
> observations of actual mail transport.

As poor quality as the data in my testimony may be, your data appears to
be of worse quality.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.



Relevant Pages

  • Re: Single User: Password or Certificate
    ... > I've read numerous threads debating the merits of client certificates ... i tend to strongly favor public/private key for authentication ... ... verify the digital signature. ... the validation of the digital signature can imply "something you ...
    (comp.security.ssh)
  • Re: PEAP-TLS vs EAP-TLS
    ... MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. ... select authentication method there are two choices - secured password ... certificates for both server authentication and client authentication; ... I think this means that there's a PEAP-TLS that's separate from EAP-TLS ...
    (microsoft.public.windows.server.security)
  • Re: public key vs passwd authentication?
    ... note that in the generic description of 3-factor authentication, ... certification authorities, and/or certificates ... considered a totally orthogonal business issue. ... possible to deploy a digital signature based two-factor authentication ...
    (comp.security.ssh)
  • RE: IAS server blues (Cant get 802.1x to work)
    ... clients. ... and it appears that the certificates are deploying correctly. ... Proxy-Policy-Name = Use Windows authentication for all users ... IAS Log Sample ...
    (microsoft.public.windows.server.general)
  • Re: eap-tls and peap-tls
    ... server is doing the internal validation. ... > "configure" option of the authentication method which is selected from ... > machine and user certificates (using peap-tls) does the IAS server ...
    (microsoft.public.internet.radius)