<<On Fri, 15 Aug 2008 15:57:17 -0600, Peter Saint-Andre <[EMAIL PROTECTED]> said:
> Johansson Olle E wrote: >> There is a lot we could add in a best-practise document. Self-cigned >> certificates doesn't >> belong to a CA, but can still be identified with a fingerprint. Postfix >> (e-mail server) supports >> both fingerprints and CA-style certificate handling. > Yes it would be good to see how this is handled in mail servers. Mail servers generally practice "opportunistic encryption", similar to what jabber servers do now (but without the callback stuff). It is possible to configure sendmail, exim, and presumably others to insist on valid certificates, but nobody does for MTAs that will be talking to the rest of the world. (Some may do it for corporate MTAs, and it's not uncommon for MSAs to require valid certificates for relay authorization.) > I suppose one question is: how do you check fingerprints? Well, if you're doing DNSsec as Olle suggested, you just put the whole public key in the DNS using a DNSKEY record. You then authenticate the record using standard DNSsec protocols. (This currently works in .se and .br, and is supposed to be rolled out next yet for .org. Having IANA actually sign the root is still some ways off.) -GAWollman
