On Tue, Oct 16, 2001 at 12:37:51AM -0600, Donald Thompson wrote:
> Most remote servers should be more concerned with creating an encrypted
> transfer rather than verifying host and certificate authenticity. Not to
> say that there aren't a few out there are foolish enough to attempt to do
> so.
Ummmm!
I think that relying on the fact that you have established an encrypted
connection with someone (though that may not be the right person) seems
absolutely pointless to me. Personally I use TLS for verifying relaying
which means that I must check the client certificate, because otherwise
I can't actually tell if the other endpoint is authorised to relay. The
same thing applies above. It seems to me that there can be no point in
establishing an encrypted connection if you are not going to verify the
other endpoint. It adds overhead and gains you *nothing*.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
