Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..
From: Per Hedeland (per_at_hedeland.org)
Date: 04/03/05
- Next message: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Previous message: Peter Juuls: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- In reply to: Mark Crispin: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Next in thread: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Reply: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 3 Apr 2005 13:43:58 +0000 (UTC)
In article <Pine.WNT.4.63.0504030056240.820@Shimo-Tomobiki.panda.com>
Mark Crispin <MRC@CAC.Washington.EDU> writes:
>On Sun, 3 Apr 2005, Per Hedeland wrote:
>> I'm sure they do - but for the umpteenth time, my belief is that people
>> generally don't make use those capabilities.
>
>And I am trying to tell you for the umpteenth time that, with the software
>in question, users have to go to considerable extra trouble *not* to use
>those capabilities. The software validates certificates by *default*.
Assuming that the users have the CA certificate installed, yes. There's
obviously no reason for them not to use the validation in that case. My
belief is that they in most cases don't have that, for a variety of
reasons elaborated on in previous postings.
>It is quite another to state that most users will go to extra trouble in
>order to be less secure. But, in effect, you are implying that.
Not at all.
>You also seem to be implying that, for some reason, SMTP servers are less
>likely to have validatable certificates than servers for other protocols.
I'm not sure exactly what you mean by "validatable", but on the
assumption that you mean "not signed by a CA that the SMTP client is
likely to have a certificate for", yes, it is my definite impression
that this is the case. Though as of late I've noticed that this is
increasingly common also for HTTPS.
>I don't see any evidence to support that hypothesis.
Maybe you're just not looking hard enough. Here's a random sample:
subject=/C=US/ST=WA/L=Seattle/O=University of Washington/OU=CAC/CN=mx1.cac.washington.edu/emailAddress=ndc-sysmgt@cac.washington.edu
issuer=/C=US/ST=WA/O=University of Washington/OU=UW Services/CN=UW Services CA/emailAddress=help@cac.washington.edu
>Do you have any example of any SMTP-TLS client which does not validate
>certificates?
No, and since this is specifically *not* what I'm talking about, while
you keep insisting that it is, I'm clearly not able to make you
understand what I'm saying - regardless of the reason for that, I thus
see no point in continuing this discussion.
For anyone else that may have suffered through this thread, the point of
my original post, now lost in the noise, was not primarily to assert
that certificate validation doesn't happen, but to point out that it is
in many cases quite feasible to make it happen even without certificates
signed by "official" CAs.
--Per Hedeland
per@hedeland.org
- Next message: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Previous message: Peter Juuls: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- In reply to: Mark Crispin: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Next in thread: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Reply: Anne & Lynn Wheeler: "Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix .."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
