Re: smtp.comcast.net self-signed certs

[Tony Finch <dot () dotat at>]

On Fri, 16 Jan 2009, Florian Weimer wrote:
> There's no PKI for Internet Mail routing, so I don't see what you get
> by checking certificates at all.

That's not entirely true. SMTP over TLS is intended to work for
inter-domain SMTP, and it is in fact quite frequently used. However it is
utterly broken, with the result that what PKI there is is not in practice
used.

The brokenness is:

* TLS certificates verify host names not mail domains, so they only
provide protection for the result of an MX lookup - they don't verify
the MX lookup itself was not spoofed.

* Most SMTP software does not check certificates and many certificates
installed on MX hosts have different common names from the MX record
target hostname. Turning on certificate verification breaks too much
email, and there's no incentive for postmasters to install valid
certificates.

These problems are extremely hard to fix.

Tony.
-- 
f.anthony.n.finch  <dot () dotat at>  http://dotat.at/
FITZROY SOLE: WEST OR SOUTHWEST 5 TO 7, INCREASING GALE 8 AT TIMES, THEN
BACKING SOUTH 7 TO SEVERE GALE 9, PERHAPS STORM 10 LATER. VERY ROUGH OR HIGH.
RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.