[Operators] [Fwd: Re: Secure Communications Week]

Garrett Wollman wollman at csail.mit.edu
Fri Aug 15 17:10:50 CDT 2008

<<On Fri, 15 Aug 2008 15:57:17 -0600, Peter Saint-Andre <stpeter at stpeter.im> said:

> Johansson Olle E wrote:
>> There is a lot we could add in a best-practise document. Self-cigned 
>> certificates doesn't
>> belong to a CA, but can still be identified with a fingerprint. Postfix 
>> (e-mail server) supports
>> both fingerprints and CA-style certificate handling.

> Yes it would be good to see how this is handled in mail servers.

Mail servers generally practice "opportunistic encryption", similar to
what jabber servers do now (but without the callback stuff).  It is
possible to configure sendmail, exim, and presumably others to insist
on valid certificates, but nobody does for MTAs that will be talking
to the rest of the world.  (Some may do it for corporate MTAs, and
it's not uncommon for MSAs to require valid certificates for relay

> I suppose one question is: how do you check fingerprints?

Well, if you're doing DNSsec as Olle suggested, you just put the whole
public key in the DNS using a DNSKEY record.  You then authenticate
the record using standard DNSsec protocols.  (This currently works in
.se and .br, and is supposed to be rolled out next yet for .org.
Having IANA actually sign the root is still some ways off.)


More information about the Operators mailing list