[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Gmail and SSL

Subject: Gmail and SSL
From: scott at doc.net.au (Scott Howard)
Date: Tue, 1 Jan 2013 16:04:11 -0800
In-reply-to: <[email protected]>
References: <CAAAwwbXrT=30++48N8UAas1DpcKWZ8dAe8fgWyeaB3zR00eJ9g@mail.gmail.com> <[email protected]> <CAAAwwbWXUNQKo24mHH+qyC=0uZYAzV3WqrpERg3dmCjCy0fEyg@mail.gmail.com> <[email protected]>

On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl at iecc.com> wrote:

> Really, this isn't hard to understand.  Current SSL signers do no more
> than tie the identity of the cert to the identity of a domain name. Anyone
> who's been following the endless crisis at ICANN about bogus WHOIS knows
> that domain names do not reliably identify anyone.
>

So you're saying that you'd have no problems getting a well-known-CA signed
certificate for, say, pop.mail.yahoo.com?  If you can't, then it would seem
that the current process provides (at least) a better mechanism than just
blindly accepting self-signed certificates, no?

Also keep in mind that this particular argument is about the certs used to
> submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
> session before you can send any mail.  This isn't belt and suspenders, this
> is belt and a 1/16" inch piece of duct tape.
>

Err.. no it's not.  It's about the certs used when Gmail connects to a
3rd-party host to collect mail.  ie, Google is the client, not the server.

  Scott

Prev by Date: Gmail and SSL
Next by Date: Gmail and SSL
Previous by thread: Gmail and SSL
Next by thread: Gmail and SSL
Index(es):
- Date
- Thread