On Fri, 14 Jan 2005, David Woodhouse wrote:
I quite like the idea of using TLS certificates for authorisation
instead of IP addresses. It may make a useful addition to the CSV-CSA
proposal. Rather than just specifying acceptable IP addresses, we could
also keep the fingerprint of the TLS certificate in DNS too. Does the
KEY RR allow that?
There are a number of problems with this idea. Firstly, TLS certs are
routinely not properly checked by SMTP clients or servers, which means
that the TLS PKI can't be used to tie a cryptographic identity to the real
world [1]. Secondly, although a cert could be used as a persistent
identity for repution purposes, clients are free to change their cert on a
whim since there's no link to a PKI. Thirdly, TLS certs are usually used
for server authentication, not client authentication, which is the wrong
way round for SMTP. Finally, the DNSSEC crypto RRs are for DNSSEC only and
must not be piggy-backed by other protocols.
[1] Although CSV also has a relatively weak link to the real world, it is
stronger than using fingerprints of unverified TLS certs, because the
domain name that CSV authenticates has owners and managers that are (in
theory) identifiable by whois or by nameserver.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
SHANNON: SOUTHWEST 5 TO 7, PERHAPS GALE 8 LATER. RAIN AT TIMES. MODERATE OR
GOOD.