On Jan 1, 2020, at 12:55 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:
But once again, this is submission, not SMTP. A client certificate is
a plausible way for a submission client to authenticate itself to the
submission server.
Well, I think what Keith was hinting at is that in some idealized Internet
we don't have, "real" SMTP clients could be authenticated via client certs,
making it harder for botnets (on machines that lack such certs) to be seen
as real SMTP clients.
Of course the bad guys can register a new domain for $5/year, get a Let's
Encrypt cert, and have the botnet use that domain and cert for a few hours,
and then register another domain... So I don't see how client certs would
in fact keep abuse at bay.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp