Gmail and SSL

Scott Howard scott at doc.net.au
Wed Jan 2 00:04:11 UTC 2013


On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl at iecc.com> wrote:

> Really, this isn't hard to understand.  Current SSL signers do no more
> than tie the identity of the cert to the identity of a domain name. Anyone
> who's been following the endless crisis at ICANN about bogus WHOIS knows
> that domain names do not reliably identify anyone.
>

So you're saying that you'd have no problems getting a well-known-CA signed
certificate for, say, pop.mail.yahoo.com?  If you can't, then it would seem
that the current process provides (at least) a better mechanism than just
blindly accepting self-signed certificates, no?

Also keep in mind that this particular argument is about the certs used to
> submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
> session before you can send any mail.  This isn't belt and suspenders, this
> is belt and a 1/16" inch piece of duct tape.
>

Err.. no it's not.  It's about the certs used when Gmail connects to a
3rd-party host to collect mail.  ie, Google is the client, not the server.

  Scott


More information about the NANOG mailing list