[110768] in North American Network Operators' Group
Re: smtp.comcast.net self-signed certs
daemon@ATHENA.MIT.EDU (Tony Finch)
Fri Jan 16 11:28:56 2009
Date: Fri, 16 Jan 2009 16:28:42 +0000
From: Tony Finch <dot@dotat.at>
To: Florian Weimer <fw@deneb.enyo.de>
In-Reply-To: <873afjntkr.fsf@mid.deneb.enyo.de>
Cc: nanog@nanog.org, Jeff Mitchell <jeff@emailgoeshere.com>
Errors-To: nanog-bounces@nanog.org
On Fri, 16 Jan 2009, Florian Weimer wrote:
>
> There's no PKI for Internet Mail routing, so I don't see what you get
> by checking certificates at all.
That's not entirely true. SMTP over TLS is intended to work for
inter-domain SMTP, and it is in fact quite frequently used. However it is
utterly broken, with the result that what PKI there is is not in practice
used.
The brokenness is:
* TLS certificates verify host names not mail domains, so they only
provide protection for the result of an MX lookup - they don't verify
the MX lookup itself was not spoofed.
* Most SMTP software does not check certificates and many certificates
installed on MX hosts have different common names from the MX record
target hostname. Turning on certificate verification breaks too much
email, and there's no incentive for postmasters to install valid
certificates.
These problems are extremely hard to fix.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
FITZROY SOLE: WEST OR SOUTHWEST 5 TO 7, INCREASING GALE 8 AT TIMES, THEN
BACKING SOUTH 7 TO SEVERE GALE 9, PERHAPS STORM 10 LATER. VERY ROUGH OR HIGH.
RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
