[Standards] RFC 3920, 10.2/10.3: subdomain routing rules

Greg Hudson ghudson at MIT.EDU
Fri Mar 30 16:25:18 UTC 2007


On Fri, 2007-03-30 at 18:20 +0200, Matthias Wimmer wrote:
> Yes you can. But the original question was about verifying certificates 
> of the connected server.

If you're the connecting server, you already have dialback-strength
authentication of the connected server.  ("Dialback-strength" means
anyone can fool you if they can subvert DNS or monkey with a TCP
connection, but can't fool you simply by making a false assertion at the
application protocol layer like you can do as an SMTP initiator.)

Thus, if you are willing to peer with a server which presents no TLS
certificate, you should also be willing to peer with a server who has an
invalid or self-signed certificate.  You get to use the TLS stream for
confidentiality, as a little bonus.





More information about the Standards mailing list