At 14:09 02/02/2004, Iljitsch van Beijnum wrote:
Anyone feel it is unreasonable to force people who want to run their own
server to get a certificate for it? (Assuming a selection of roots, no
verisign lock in of course.)
I do.. I suppose it might be possible to get a certificate authority which
is easy to use, but the one's I've used certainly aren't... They're
probably OK if you live in the USA, but even in the UK, it's a RRPITA to
get a certificate from Verisign or Thawte, regardless of the cost. If I
wasn't a techie it'd probably be enough to put me off email for life if I
had to do it... If I lived in a country under tight government control it
might be impossible to get a certificate at any cost!
I'm not sure what a server certificate would achieve on its own. I already
know who a server is - from it's IP address.
What I need is the basic authorisation that a mail server on a particular
IP address is allowed to send email from a particular email address (this
is an authorisation from the email address owner, not from me). I'm not
sure how digital certificates (as I understand them) could achieve this.
Many servers could send mail from many different domains.
You could do it quite easily, reliably & cheaply using DNS (eg 195.149.15.3
sends you a message from 'fred(_at_)pscs(_dot_)co(_dot_)uk' - do a DNS lookup of
'195_149_15_3.pscs.co.uk' (or c3950f03.pscs.co.uk, or whatever) and see if
the result is valid, if it is that mail server is permitted (by the owner
of the pscs.co.uk domain) to send mail from that domain, otherwise it's not)
Paul VPOP3 - Internet Email Server/Gateway
support(_at_)pscs(_dot_)co(_dot_)uk http://www.pscs.co.uk/