On 11/30/2014 07:12 PM, Viktor Dukhovni wrote:
On Sun, Nov 30, 2014 at 07:00:15PM -0500, Robert Moskowitz wrote:
I am not suggesting you do this, but since you asked...
As so often, Viktor, you get right to the 'key' point. Yes, why bother. Is
it any faster if it has a lot of root CA files to check against?
The performance cost is not an issue.
With CApath, the performance is largely idpendent of the number of
CAs, until you start trusting more than ~65,000 CAs at which point
there is a negligible logarithmic cost due to collisions of the
32-bit hashed issuer DNs.
So leave it alone. Just another interesting message happening. Nothing
REALLY interesting, move along...
Correct. In 2.13 (or whatever number we assign to the release
after next), we may add a forensically useful (even if not a
proactive defense) way to employ trusted CAs to "try" to authenticate
SMTP servers. You'll know that some connections happened to be
protected, and would need to employ log analysis to look for
anomalies indicative of MiTM attack in order to take advantage of
such forensic evidence.
You would have to 'know' that an MTA does have a trusted cert, and a
connection claiming to be that MTA is not trusted. Hmmm, dns offers
SOME protection here, and of course that takes us to DANE.
My head hurts. And I have a headcold and a fever anyway, so this is NOT
the time to try and think this though.
