On 10/16/25 7:09 AM, Viktor Dukhovni via mailop wrote:
With DANE, client certificates can and SHOULD be self-signed, but
can be from a private CA, when that makes sense.
Please elaborate on why the client certificate SHOULD be self signed or
from a private CA /within/ /the/ /context/ /of/ /DANE/.
I can see how some upcoming changes regarding extended key usage coerce
what you're describing.
MTA server certificates can also be self-signed, though on the MSA
ports 465 and 587 a certificate chained to one of the usual WebPKI
trust-anchors are typically useful to placate MUAs.
I concur.
Though I think in a day and age where we're chasing TLS certificate
security seemingly as fast and far as we can, that having a TLS
certificate that MUAs recognize and trust is probably a Good Thing.
Let's put a little bit of the concern about things like extended key
usage into using a TLS certificate from a known -> trusted CA. Let's
avoid monkey in the middle opportunities where it's relatively easy to
do so.
--
Grant. . . .
unix || die
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
