[159226] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Scott Howard)
Tue Jan 1 19:04:22 2013
In-Reply-To: <alpine.BSF.2.00.1212310857001.21257@joyce.lan>
Date: Tue, 1 Jan 2013 16:04:11 -0800
From: Scott Howard <scott@doc.net.au>
To: "John R. Levine" <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl@iecc.com> wrote:
> Really, this isn't hard to understand. Current SSL signers do no more
> than tie the identity of the cert to the identity of a domain name. Anyone
> who's been following the endless crisis at ICANN about bogus WHOIS knows
> that domain names do not reliably identify anyone.
>
So you're saying that you'd have no problems getting a well-known-CA signed
certificate for, say, pop.mail.yahoo.com? If you can't, then it would seem
that the current process provides (at least) a better mechanism than just
blindly accepting self-signed certificates, no?
Also keep in mind that this particular argument is about the certs used to
> submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
> session before you can send any mail. This isn't belt and suspenders, this
> is belt and a 1/16" inch piece of duct tape.
>
Err.. no it's not. It's about the certs used when Gmail connects to a
3rd-party host to collect mail. ie, Google is the client, not the server.
Scott
