On Sat, Oct 31, 2015 at 10:20:50AM -0400, John C Klensin wrote:
> > What's missing here is that having trusted SSL certificates
> > offers zero protection for MTA-to-MTA SMTP. Any time/money
> > spend on such certificates is essentially wasted. Barring
> > DANE or similar out-of-band policy, certificates *cannot*
> > protect MTA-to-MTA SMTP from MITM attacks.
>
> First, unless I'm missing a key part of your reasoning, if one
> really had a "trusted SSL certificate" and used it properly,
> "zero protection" seems like a dubious claim.
I meant what I said and I said what I meant:
https://tools.ietf.org/html/rfc7672#section-1.3
https://tools.ietf.org/html/rfc7672#section-1.3.1
https://tools.ietf.org/html/rfc7672#section-1.3.2
https://tools.ietf.org/html/rfc7672#section-1.3.3
https://tools.ietf.org/html/rfc7672#section-1.3.4
https://tools.ietf.org/html/rfc7435
[ Certificate wrong, yet the message still sent. ]
--
Viktor.