regarding ssl certificates

Jochen Bern Jochen.Bern at binect.de
Thu Mar 14 19:07:19 EET 2019


(Sorry for the broken references, my MUA misplaced the e-mail I'm
*actually* replying to.)

On 03/14/2019 03:08 PM, Stephan von Krawczynski wrote:
> Some facts for you, as obviously you have not understood what a CA is worth
> that is compromised by either hackers or "authorities".
> If you want to know more, read articles about closing of CA DigiNotar, like:
> https://en.wikipedia.org/wiki/DigiNotar
> 
> Then read US export laws concerning security devices.
> Then judge your US-issued certs...

Out of interest, does(*) or doesn't(**) your scenario include mechanisms
like HPKP?

(*) I'm not aware of any MUAs implementing one, just browsers, and it's
now being phased out by *them* in favor of CT, too.

(**) If not, the question of what CAs issued any *legit* certs for you
has no practical relevance on whether and which other CAs may get hacked
or judicially suborned into creating a working fraudulent one.

(Where "practical" means "you cannot expect the entire, possibly
worldwide, user population to manually strip their clients' list of
accepted CAs down to the one *you* chose".)

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190314/57dfc31a/attachment.p7s>


More information about the dovecot mailing list