regarding ssl certificates
Phil Turmel
philip at turmel.org
Thu Mar 14 22:23:45 EET 2019
On 3/14/19 10:08 AM, Stephan von Krawczynski via dovecot wrote:
> Some facts for you, as obviously you have not understood what a CA is worth
> that is compromised by either hackers or "authorities".
> If you want to know more, read articles about closing of CA DigiNotar, like:
> https://en.wikipedia.org/wiki/DigiNotar
I am well aware of what happens when a CA is compromised and
man-in-the-middle attacks become possible. Your initial mail implied
that the user's own keys would be compromised. Running your own CA is
quite useless for asserting one's identity to random other mail servers
as you'd have to get them all to trust you as a CA, with exactly the
same problems as any other CA, with anonymity tacked on. DNSSEC would
be wonderful if it was commonly supported, but we ain't there yet.
The point is that a cert from any currently recognized cert authority is
*operationally* better than a snakeoil cert. The practical impact of
your initial advice is "don't run a mail server".
Also, secrets don't last -- nobody trusts anything that came from
DigiNotar. That will happen to any CA caught issuing bogus certs,
regardless for whom.
> Then read US export laws concerning security devices.
> Then judge your US-issued certs...
Totally orthogonal to the problem of mutual trust for mail handling.
More information about the dovecot
mailing list