On Wed, May 16, 2007 at 09:32:43AM +0300 or thereabouts, Vilius ??umskas wrote:
> >2. Here is where your above statement is flawed. In order to log in your > >server, you have to AUTHENTICATE.... you must provide a password or in > >combo > >with CRAM-MD5 or some such, although it could be plain. > > > >Most importantly........ > > > >3. IMAP certs do *nothing* except to encrypt the connection from the client > >to the server. It has nothing to do with authentication, nothing to do with > >compromising a server. We are not talking about e-commerce here, where you > >send your credit card over the wire. We are talking about encrypting a > >connection to/from an IMAP server. You still have to authenticate, if the > >server is worth anything, and not a public server, in which case just use > >port 143 without SSL. It is the authentication that is important. > It is possible to reverse engineer private key from a public key, > especially if you are using less than 1024bit private key encryption > (and please remember that for example in USA it is _enforced_ by law). > All you need is time. It is adviced to change your private/public key > pairs from time to time. This way you can be sure that the key was not > broken, stolen or compromised in any other way. That's why "valid > from" and "valid to" field was introduced in X.509 in the first place. > You can think of it like "password expiration". so what, the above is all public knowledge, common stuff, basic info. It has nothing to do with IMAPS. You spend your time for years with 1000s of clustered computers to reverse engineer a private key...... For IMAP ! give me a break! We are talking about IMAP here, not e-commerce. You seem to forget that. You STILL have to auth into an IMAP(s) server, period. Don't want to use it, then don't, or use port 143, standard protocol, whereupon you would still need to authenticate. Your above paragraph is general info for the newbie, and not specific to IMAPS, and has nothing to do with the topic. > In other words, certificate is a "vehicle of cryptographic trust" and > users should not trust certificate if it is expired. Then don't use it for IMAPS, use port 143... very basic stuff... > >4. Every other email client allows the user to choose whether he wishes > >to accept a cert, any cert for IMAP. I'm a grown up guy, and I can make > >my own decisions if I want to accept a cert or not. Jumping through > >hoops to get to an IMAP server, after you used Stunnel a few 1000 > >times, is just a pain - unnecessary I might add. It is just easier to > >use another client. > And how do you know that first time that you are accepting certificate > from a server if it is self-signed? read up on DNS. Have you ever built DNS servers professionally, or maintained at least one? Do you understand how it works. Have you ever built email/IMAP/POP servers professionally, or maintained one or 100s of them? You don't want to use self-signed for basic IMAPs, don't use it, use the standard port.... once again, you have to auth on to get into the server, It is the authentication, e.g. plain, CRAM-MD5, RADIUS server, etc that gets you into the server. Whether you want to use SSL or in the clear, it is your choice. YOU GET a CHOICE with other clients. You seem to forgot that every other IMAP email client, roughly 250 of them, allow you to accept the cert. *They give you the choice* to do so, for one time use only, or permanently, or not at all. This IS the point. > I can easily view properties of such certificates create my own CA and > create exactly the same certificate from the properties point of view. so what. Can you easily authenticate using someones password to get into the server? Do you finally get my point, instead of your generalized ramblings about a self-signed cert, or less importantly giving a probability of reverse engineering a cert? When a new account signs up on my servers, I send him a package which includes the cert for him to install. Their company can use it, or not,..... it is *their* choice. You get choices, not decisions made for you by TB! saying you cannot use it if it is expired after its time. Have the admin send you the cert when you sign up for an account.... > And not everyone has a direct connection to the server to accept it > that first time. Are you talking about a company firewall, or proxy... Other than that, just exactly how would you not have a direct connection to your theoretical first time? (which you would not need if the admin sent a cert to begin with) Sorry, I'm too busy to spend any more time on this general, way off topic, nonsense. -- Gary ________________________________________________________ Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
