On Wed, 30 Jun 2004, Douglas Otis wrote:
I do not speak for the other authors, but there was a discussion
involving this issue that Dave Crocker had been addressing. It is my
understanding this needs to change to reflect StartTLS is stronger but
defines a different namespace which is why Dave indicates it does not
authenticate the HELO domain. He was working on the wording for this.
Is this related to the distinction between service names and host names?
For example, our MX records refer to mx.cam.ac.uk which is a service name
which in turn refers to a number of hosts whose canonical host names (and
EHLO greetings) are of the form XXXX.csi.cam.ac.uk. If we were to turn on
opportunistic encryption for general SMTP with full certificate
verification, we would have to obtain a server certificate for
mx.cam.ac.uk for incoming email, and client certifcates for each of the
XXXX names for outgoing email.
I'm not sure if the behaviour of MTAs is sensible if they try to negotiate
TLS but fail at the certificate verification stage. I'm not sure I know
what sensible behaviour would be!
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
SELSEY BILL TO LYME REGIS: WEST 5 BACKING SOUTHWEST, PERHAPS INCREASING
LOCALLY 6, LATER VEERING WEST 5 LOCALLY 6. SCATTERED SHOWERS WITH RAIN FOR A
TIME. GOOD DECREASING OCCASIONALLY MODERATE OR POOR IN RAIN. MODERATE BUILDING
ROUGH.