ietf
[Top] [All Lists]

Re: E-Mail Protocol Security Measurements

2015-10-31 10:09:49
On Sat, Oct 31, 2015 at 10:20:50AM -0400, John C Klensin wrote:

What's missing here is that having trusted SSL certificates
offers zero protection for MTA-to-MTA SMTP.  Any time/money
spend on such certificates is essentially wasted.  Barring
DANE or similar out-of-band policy, certificates *cannot*
protect MTA-to-MTA SMTP from MITM attacks.

First, unless I'm missing a key part of your reasoning, if one
really had a "trusted SSL certificate" and used it properly,
"zero protection" seems like a dubious claim. 

I meant what I said and I said what I meant:

    https://tools.ietf.org/html/rfc7672#section-1.3
    https://tools.ietf.org/html/rfc7672#section-1.3.1
    https://tools.ietf.org/html/rfc7672#section-1.3.2
    https://tools.ietf.org/html/rfc7672#section-1.3.3
    https://tools.ietf.org/html/rfc7672#section-1.3.4

    https://tools.ietf.org/html/rfc7435

[ Certificate wrong, yet the message still sent. ]

-- 
        Viktor.

<Prev in Thread] Current Thread [Next in Thread>