On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <jo...@iecc.com> wrote:
> Really, this isn't hard to understand. Current SSL signers do no more > than tie the identity of the cert to the identity of a domain name. Anyone > who's been following the endless crisis at ICANN about bogus WHOIS knows > that domain names do not reliably identify anyone. > So you're saying that you'd have no problems getting a well-known-CA signed certificate for, say, pop.mail.yahoo.com? If you can't, then it would seem that the current process provides (at least) a better mechanism than just blindly accepting self-signed certificates, no? Also keep in mind that this particular argument is about the certs used to > submit mail to Gmail, which requires a separate SMTP AUTH within the SSL > session before you can send any mail. This isn't belt and suspenders, this > is belt and a 1/16" inch piece of duct tape. > Err.. no it's not. It's about the certs used when Gmail connects to a 3rd-party host to collect mail. ie, Google is the client, not the server. Scott