Carl S. Gutekunst wrote:
RFC 3207 punts on the issue of certificate verification. Is there any
interest in a rigorous specification for certificate verification in
SMTP/STARTTLS ? Is this the appropriate WG for such a discussion?
Our SMTP client has options to check the server certificate on a per
domain basis. So where it is mandated that it be non-expired and
common names match the connection name and/or the rDNS is local policy.
But one thing I was thinking about supporting is OCSP (Online
Certificate Status Protocol) RFC2560 as the another way to check for
the vendor revocation and also deal with the wild card issues.
The major browsers do OCSP and at first it was OFF by default. But
within the last year or so of updates, they are now ON by default,
specifically starting with CHROME and FIREFOX 3.0.
I think this may be doable today if the SMTP client wanted to push the
check that far.