On Thu, May 24, 2007 at 01:55:49PM -0600, Peter Saint-Andre wrote: > Paul Hoffman wrote: > >At 6:34 PM +0200 5/23/07, Florian Weimer wrote: > > > >>But no one is issuing certificates which are suitable for use with > >>SMTP (in the sense that the CA provides a security benefit). > > > >No one? I thought that VeriSign and others did, at least a few years ago. > > FWIW, last year we established a dedicated Intermediate Certification > Authority for issuing digital certificates to admins of XMPP servers: > > https://www.xmpp.net/
The main difficulty with SMTP, is that indirection via MX records maps poorly onto X.509v3 CommonName, and only slightly better onto SubjectAlternativeName(DNS). Users don't request delivery to an MX host, they request delivery to [EMAIL PROTECTED] Indeed DNSSEC + certificates in a trusted DNS would be vastly better, but not only are we not getting there, we don't even seem to be going there at all. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]