[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Matthias Wimmer m at tthias.eu
Fri Mar 30 16:20:27 UTC 2007


Hi Greg!

Greg Hudson schrieb:
> In this case, you want to use TLS for confidentiality but not
> authentication.  Can you invoke dialback while still using the TLS
> stream?

Yes you can. But the original question was about verifying certificates 
of the connected server. So the case was the following:
If the connecting server would not accept the connected server's 
certificate and if it would not completly block peering with this server 
then, but it would not accept the certificate, the only remaining 
solution would be to not request TLS. This would result in "no 
encryption and dialback" as I wrote.

Sure you can say the destination's certificate is invalid and still 
continue to use TLS. That's exactly what is typically done. So the 
remaining question is: if you consider that the destination's 
certificate has to be checked, what do you do if it is invalid.
- you can just ignore that it is invalid (that's what is currently done)
- you can block all communications to this destination
- you can stop using TLS with this destination.
... as I wrote in the cited posting.


Matthias



More information about the Standards mailing list