Adam Shostack wrote: > On Wed, Oct 02, 2002 at 04:54:54PM +0100, Ben Laurie wrote: > | Lucky Green wrote: > | >I also agree that current MTAs' implementations of STARTTLS are only a > | >first step. At least in postfix, the only MTA with which I am > | >sufficiently familiar to form an opinion, it appears impossible to > | >require that certs presented by trusted parties match a particular hash > | >while certs presented by untrusted MTAs can present any certificate they > | >desire to achieve EDH-level security. > | > | This is probably a stupid question, but... why would you want to do this? > > So that your regular correspondants are authenticated, while anyone > else is opportunisticly encrypted.
??? How does checking their MTA's cert authenticate them? What's wrong with PGP sigs? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff