[Standards] RFC 3920, 10.2/10.3: subdomain routing rules
ghudson at MIT.EDU
Fri Mar 30 16:25:18 UTC 2007
On Fri, 2007-03-30 at 18:20 +0200, Matthias Wimmer wrote:
> Yes you can. But the original question was about verifying certificates
> of the connected server.
If you're the connecting server, you already have dialback-strength
authentication of the connected server. ("Dialback-strength" means
anyone can fool you if they can subvert DNS or monkey with a TCP
connection, but can't fool you simply by making a false assertion at the
application protocol layer like you can do as an SMTP initiator.)
Thus, if you are willing to peer with a server which presents no TLS
certificate, you should also be willing to peer with a server who has an
invalid or self-signed certificate. You get to use the TLS stream for
confidentiality, as a little bonus.
More information about the Standards