Re: [exim] Should MX offer TLS ?

On 07/11/2007 16:36, Dean Brooks wrote:
> On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote:
>> [...] I'd have thought that sending to MX with
>> TLS, offering a real certificate, would be a good way of saying "yes I
>> really am who I say I am". Now if one could say in one's SPF records "I
>> have a real cert" we'd be a long way towards sender authentication,
>> wouldn't we?
>
> Problem is, you don't have to have a CA authority sign your TLS
> certificate. Anyone can self sign and TLS will accept it.

Unless the recipient were to decide he liked CA-signed certs. This is
what I'm angling towards.

> DomainKeys is closer to that idea though.

I know, but SSL/TLS with CA-signed certs are well-understood and already
well-supported in MTAs (including exim, of course). Why not use them for
sender authentication? I know nobody does but what's the rationale in
favour of DKIM et al over my suggestion?

Cheers,

John.