On Mon, 01 Aug 2005 20:15:04 -0400, Steve Shockley <[EMAIL PROTECTED]> wrote:
>J.C. Roberts wrote: >> I don't mean to be confrontational but personally I didn't think there >> was any point in securing anon/public access? > >Does FTP in SSL/TLS verify certificates? It could be used to verify >that the server you're connecting to is actually the server you think it >is. (IOW, signing vs. encrypting.) I'm really not sure. -The only work I've actually done with wrapping older protocols in SSL/TLS was with the Cyrus SASL port. In general cert verification (i.e. checking for revocations) is done by the client, so if anything you're probably looking at another client side configuration issue (assuming the feature actually exists). I'm not sure if it's still true with MS-Windows but at one time MSIE, by default, did not check for cert revocations. In other words "yes" SSL/TLS probably could be used to help protect against redirection from spoofing, DNS poisoning or similar but realistically, such help would not be worth much. -Do users actually read the keys? -Do the self proclaimed signing "authorities" sell their supposed "services" to anyone willing to pay them? Basically it doesn't solve the problem, instead, the problem is simply moved from trying to confirm DNS resolution to trying to confirm certificates. Whether or not moving the problem from one field to another does any good is a subject of debate with vastly differing (and heated) opinions on all sides. JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
