[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-14 19:58:35

Carl S. Gutekunst wrote:

RFC 3207 punts on the issue of certificate verification. Is there any interest in a rigorous specification for certificate verification in SMTP/STARTTLS ? Is this the appropriate WG for such a discussion?

Our SMTP client has options to check the server certificate on a per domain basis. So where it is mandated that it be non-expired and common names match the connection name and/or the rDNS is local policy.

But one thing I was thinking about supporting is OCSP (Online Certificate Status Protocol) RFC2560 as the another way to check for the vendor revocation and also deal with the wild card issues.

The major browsers do OCSP and at first it was OFF by default. But within the last year or so of updates, they are now ON by default, specifically starting with CHROME and FIREFOX 3.0.

I think this may be doable today if the SMTP client wanted to push the check that far.


Hector Santos
jabber: hector(_at_)jabber(_dot_)isdg(_dot_)net