[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Tony Finch dot at dotat.at
Thu Mar 29 14:06:00 UTC 2007


On Thu, 29 Mar 2007, Matthias Wimmer wrote:
>
> I considered checking destination certificates several times. But what would I
> do if the certificate could not be verified? Don't nail me down on the number,
> but I expect that about 50% of the certificates for my peers are invalid. I
> only seem to have two options:
> - Not peering with them. This would not encourage people to get valid
> certificates. Most admins would probably just stop using TLS at all.
> - Fall back to using dialback. Oh what cool improvement. Because I do not
> trust the certificate I go to transmit stanzas totally in clear.
> Both not very appealing options ...

Presumably if you can't verify their certificate when connecting to them,
you reject the SASL EXTERNAL when they connect to you.

> As I said: The only situation where I consider destination cert checks
> possible at present are in closed environments or with a configured set of
> destination hosts.

Just as bad as SMTP :-(

Tony.
-- 
f.a.n.finch  <dot at dotat.at>  http://dotat.at/
FAEROES: NORTH 3 OR 4, OCCASIONALLY 5, BECOMING VARIABLE 2 OR 3. SLIGHT OR
MODERATE. FAIR. GOOD.



More information about the Standards mailing list