[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
dot at dotat.at
Thu Mar 29 14:06:00 UTC 2007
On Thu, 29 Mar 2007, Matthias Wimmer wrote:
> I considered checking destination certificates several times. But what would I
> do if the certificate could not be verified? Don't nail me down on the number,
> but I expect that about 50% of the certificates for my peers are invalid. I
> only seem to have two options:
> - Not peering with them. This would not encourage people to get valid
> certificates. Most admins would probably just stop using TLS at all.
> - Fall back to using dialback. Oh what cool improvement. Because I do not
> trust the certificate I go to transmit stanzas totally in clear.
> Both not very appealing options ...
Presumably if you can't verify their certificate when connecting to them,
you reject the SASL EXTERNAL when they connect to you.
> As I said: The only situation where I consider destination cert checks
> possible at present are in closed environments or with a configured set of
> destination hosts.
Just as bad as SMTP :-(
f.a.n.finch <dot at dotat.at> http://dotat.at/
FAEROES: NORTH 3 OR 4, OCCASIONALLY 5, BECOMING VARIABLE 2 OR 3. SLIGHT OR
MODERATE. FAIR. GOOD.
More information about the Standards