[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
m at tthias.eu
Fri Mar 30 16:20:27 UTC 2007
Greg Hudson schrieb:
> In this case, you want to use TLS for confidentiality but not
> authentication. Can you invoke dialback while still using the TLS
Yes you can. But the original question was about verifying certificates
of the connected server. So the case was the following:
If the connecting server would not accept the connected server's
certificate and if it would not completly block peering with this server
then, but it would not accept the certificate, the only remaining
solution would be to not request TLS. This would result in "no
encryption and dialback" as I wrote.
Sure you can say the destination's certificate is invalid and still
continue to use TLS. That's exactly what is typically done. So the
remaining question is: if you consider that the destination's
certificate has to be checked, what do you do if it is invalid.
- you can just ignore that it is invalid (that's what is currently done)
- you can block all communications to this destination
- you can stop using TLS with this destination.
... as I wrote in the cited posting.
More information about the Standards