* Victor Duchovni: >> But no one is issuing certificates which are suitable for use with >> SMTP (in the sense that the CA provides a security benefit). As far >> as I know, there isn't even a way to store mail routing information in >> X.509 certificates. > > There is no need to store routing information: > > http://www.postfix.org/TLS_README.html#client_tls_limits > http://www.postfix.org/TLS_README.html#client_tls_levels > http://www.postfix.org/TLS_README.html#client_tls_verify > http://www.postfix.org/TLS_README.html#client_tls_secure > > The short summary is that full security is only available when the > receiving MX hosts have certs that match the recipient domain,
Which runs into the same problem as HTTP because the set of recipient domain names is not known at the time the TLS handshake occurs. > or the sender is willing to manually (in his MTA configuration) bind > the recipient domain to the subject names (or in 2.5 fingerprints) > of the appropriate MX hosts. And if you use fingerprints, there is no need for PKI. And in my experience, PKI doesn't buy you that much if you need to configure per-client privileges and things like that. Using the DN instead of a fingerprint doesn't seem to be worth the trouble. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
