[70086] in North American Network Operators' Group
Re: Buying and selling root certificates
daemon@ATHENA.MIT.EDU (Robert E. Seastrom)
Wed Apr 28 20:19:27 2004
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
From: "Robert E. Seastrom" <rs@seastrom.com>
Date: 28 Apr 2004 20:19:00 -0400
In-Reply-To: <Pine.GSO.4.58.0404281950200.9806@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
Sean Donelan <sean@donelan.com> writes:
> I'm not that interested in SSL for web servers, but I have noticed a
> gradual increase in the number of mail servers willing to STARTTLS with
> mine. I was experimenting with trying to verify some of the certificates
> presented, its not real security, but makes the logs cleaner.
Most of us who are willing to opportunistically do STARTTLS are using
self-signed certificates anyway. We do this for many reasons; chief
among the reasons I do so are:
1) More encrypted traffic running around the Internet is a _good thing_
2) Even if the contents of my email is PGP-encrypted, headers and
transactions can still be passively monitored and collected. This is
sufficient for drawing relationship graphs. Opportunistic TLS fixes
this problem.
Note that "verifying the identity of the guy on the other end and thus
eliminating man-in-the-middle attacks on my email" is not on the list.
STARTTLS-capable MTAs vary in their ability to follow certificate
chains anyway...
---Rob
