Re: ESMTP: STARTTLS with "target domain" parameter(s)

Henning Hucke <spamtrap@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Sat, 7 Nov 2009, Andrzej Adam Filip wrote:
[...]
From my perspective you take "the way it is (typically) used" for
"the only way to use it". I am accustomed to drag things far above
and beyond original design goals.

Some services use "client certificates" as a substitute to authentication.
There is nothing to stop clients from using SSL certificates to
authenticate server to themselves - to use SSL for "both ways"
authentication.

recall what I wrote: _Certainly_ certificates authenticate users as
well as clients as well as _servers_. Thats exactly what I was talking
about.

You can "boost" usages of protocols - a certificate is also a
protocol, a convention - beyong their initial purpose but you should
do it in a sensible and especially consistent manner and

using _multiple_ certificates for one and the same entity - the mail
server on which you host multiple independent (read as AS / autonomious
system) domains or the relay (of one or the other kind) to them - is
far beyond the sense and intention of a certificate and triggers such a
lot of inconsitencies that... I can't find words for it %-).

Read: "STARTTLS <domain in my mind>" is rubbish and - even more than that
- evil.

[... Personal part removed ...]

I do not assume that one "smtp destination" (IP address) *MUST* mean
one physical/logical smtp server. For me extending STARTTLS syntax is
an elegant way to support it. I do not talk about "MUST provide/accept
destination domain as parameter", I talk about "MAY provide/accept
destination domain parameter". (In future if it is deployed) Server may
decide not to offer support for it, client may decide to ignore that
server supports it.

I may (reluctantly) agree that extending STARTTLS may be not the best
way to achieve "virtual SMTP" server and "inbound proxying" of SMTP
connections.

BTW For me "trust tree" sucks as design (trust in tree topology).
I would strongly prefer multiple independent sources confirming
"validity".

--
[pl>en Andrew] Andrzej Adam Filip : anfi@xxxxxxx : Andrzej.Filip@xxxxxxxxx
Open-Sendmail: http://open-sendmail.sourceforge.net/
If I could drop dead right now, I'd be the happiest man alive!
-- Samuel Goldwyn
.

Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    (Full-Disclosure)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • L2TP/IPSEC - Please help - Im losing it!!
    ... Windows 2000 IAS server for Radius authentication. ... I cannot get certificates working. ... client authentication certificate stored in the local store. ...
    (microsoft.public.win2000.ras_routing)