[Top] [All Lists]

Re: [ietf-smtp] Possible contribution to moving forward with RFC5321bis SMTP

2020-01-01 12:27:54
On 1/1/20 1:06 PM, Viktor Dukhovni wrote:

Well, I think what Keith was hinting at is that in some idealized Internet
we don't have, "real" SMTP clients could be authenticated via client certs,
making it harder for botnets (on machines that lack such certs) to be seen
as real SMTP clients.
Yes, that was what I was wondering.
Of course the bad guys can register a new domain for $5/year, get a Let's
Encrypt cert, and have the botnet use that domain and cert for a few hours,
and then register another domain...   So I don't see how client certs would
in fact keep abuse at bay.

FWIW, Let's Encrypt doesn't currently issue client certificates.

And since this would be entirely new practice, it would at least be possible to require Organization Validation or Extended Validation certificates as a condition of accepting mail, or more likely, as a condition of not pessimizing mail... and/or set up email-specific CAs for the purpose of authenticating SMTP clients.

I don't claim that it's simple to make this work - the devil is, as always, in the details.   I don't think there is a magic bullet.   But I do see client cert authentication of SMTP-over-TLS as another potential tool in the toolbox.


ietf-smtp mailing list