[Top] [All Lists]

TLS and expired certs

2010-02-16 21:32:45

In RFC 3207, section 4.1 it provides a guideline for a possible condition for MTA to reject a TLS session:

   The decision of whether or not to believe the authenticity of the
   other party in a TLS negotiation is a local matter.  However, some
   general rules for the decisions are:

   -  A SMTP client would probably only want to authenticate an SMTP
      server whose server certificate has a domain name that is the
      domain name that the client thought it was connecting to.

Why were possible expiration condition "insights" excluded from the production of this doc? if discussed at all?

I'm thinking of adding some time based rules for TLS rejection and just wondering if its worth it. Of course, this is to help automated MTA decision, not a MUA/MTA manual end-user question/decision. I'm thinking something like:

   TLS Rejection Reasons:

     [X] Domain mismatch
     [X] Expired DAYS __60__

I guess maybe time has nothing to do with the fact that you reached
a matching TLS domain target?

Thanks for your insights


Hector Santos

<Prev in Thread] Current Thread [Next in Thread>
  • TLS and expired certs, Hector Santos <=