Re: [exim] Advertising TLS

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Advertising TLS
On Tue, Nov 03, 2015 at 11:34:01AM -0500, Daryl Richards wrote:

> On 2015-11-03 11:19 AM, Jeremy Harris wrote:
>
> >https://community.letsencrypt.org/t/frequently-asked-questions-faq/26
> >
> >>Can I use certificates from Let’s Encrypt for code signing or email
> >>encryption?
> >>
> >>No. Email encryption and code signing require a different type of
> >>certificate than Let’s Encrypt will be issuing.
> >
> >Not especially encouraging.
>
> That's for client-side email encryption, which is a different type of
> certificate. Their certificate should still work for SSL/TLS on the server,
> as there's no real difference between that and a web server SSL/TLS cert...


Correct, they dont't "prove" (pin) user identities, only domain
control. So they can only issue TLS client/server certificates,
not email signing/encryption certificates.

These may prove popular to silence certificate trust warnings on
small-scale submission services when the number of users exceeds
a handful who can configure trust in a self-signed certificate.

Many users use free StartCom certificates for that now:

    Subject = CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing, O=StartCom Ltd.,C=IL
    Issuer = CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd., C=IL


what's different with LE is more automated (simplified) deployment.

-- 
    Viktor.