Gmail and SSL
scott at doc.net.au
Wed Jan 2 00:04:11 UTC 2013
On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl at iecc.com> wrote:
> Really, this isn't hard to understand. Current SSL signers do no more
> than tie the identity of the cert to the identity of a domain name. Anyone
> who's been following the endless crisis at ICANN about bogus WHOIS knows
> that domain names do not reliably identify anyone.
So you're saying that you'd have no problems getting a well-known-CA signed
certificate for, say, pop.mail.yahoo.com? If you can't, then it would seem
that the current process provides (at least) a better mechanism than just
blindly accepting self-signed certificates, no?
Also keep in mind that this particular argument is about the certs used to
> submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
> session before you can send any mail. This isn't belt and suspenders, this
> is belt and a 1/16" inch piece of duct tape.
Err.. no it's not. It's about the certs used when Gmail connects to a
3rd-party host to collect mail. ie, Google is the client, not the server.
More information about the NANOG