On Fri, Sep 17, 2004 at 07:35:09PM +0100, Ian Grigg wrote: > Oh, that's really easy. Each mailer (MUA) should (on > install) generate a self-signed cert. Stick the fingerprint
apt-get install postfix-tls Allright, this still doesn't generate the certs, nor reference them in the main.cf. > in the headers of every mail going out. An MUA that sees > the fingerpring in an incoming mail can send a request email > to acquire the full key. Or stick the entire cert in there, > it's not as if anyone would care. I would cache the cert fingerprints, and log when those change. > Then each MUA can start encrypting to that key opportunistically. Start/TLS does encrypt my mail far more often the PGP/GPG. > Lots of variations. But the key thing is that the MUA > should simply generate the key, sign it, and send it out > on demand, or more freuqently. There's really no reason > why this can't all be automated. After all, the existing > email system is automated, and trusted well enough to > deliver email, so why can't it deliver self-signed certs? Talk to Exim/Postfix maintainers. They should ship self-signed cert Start/TLS config out of the box. Even without cert caching, that'd require a MITM. Not exactly cheap, and prone to detection, if practiced on a nonnegligible scale (fingerprint checking). -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net
pgpeT5sla0uHs.pgp
Description: PGP signature
