John C Klensin <john-ietf(_at_)jck(_dot_)com> writes:
You may reasonably
claim that those criteria are almost never satisfied today and
that almost all TLS connections between SMTP sender and SMTP
receiver are made in the same casual way that almost all HTTPS
ones are.
That is far from true -- all significant web browsers out there validate
HTTPS certs against a pre-distributed CA bundle, and reject connections
when that fails. SMTP servers in general never reject connections when
cert checking fails. You may argue that CAs perform casual checking,
but it is distinctly better than permitting any certificates as in the
SMTP world.
/Simon
signature.asc
Description: PGP signature