Author: W B Hacker Date: To: exim users Subject: Re: [exim] Should MX offer TLS ?
John Robinson wrote: > On 07/11/2007 16:36, Dean Brooks wrote:
>> On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote:
>>> [...] I'd have thought that sending to MX with
>>> TLS, offering a real certificate, would be a good way of saying "yes I
>>> really am who I say I am". Now if one could say in one's SPF records "I
>>> have a real cert" we'd be a long way towards sender authentication,
>>> wouldn't we?
>> Problem is, you don't have to have a CA authority sign your TLS
>> certificate. Anyone can self sign and TLS will accept it.
>
> Unless the recipient were to decide he liked CA-signed certs. This is
> what I'm angling towards.
>
>> DomainKeys is closer to that idea though.
>
> I know, but SSL/TLS with CA-signed certs are well-understood and already
> well-supported in MTAs (including exim, of course). Why not use them for
> sender authentication? I know nobody does but what's the rationale in
> favour of DKIM et al over my suggestion?
>
> Cheers,
>
> John.
>
>
That's an easy one.
Most of the public CA's are whores. Verisign at the head of the line.
They'll sell a cert to anyone.
Pull all the CA's from a browser and suddenly notice that ads.doubleclick.net
and a zillion others have been using publically signed certs off the brower's
default CA set to quietly slip under your filters for years.
Not that I think DKIM is worth a Massachusetts, either...
If I could only have ONE tool - it's lack of a PTR RR.