[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)

Stephane Grobety security at admin.fulgan.com
Mon Jun 13 09:22:40 GMT 2005


TE> If that were sound advice, then 99% of all Internet MTAs aren't
TE> following it, nor do many ISPs who demand a client certificate for
TE> client MTA authorization.

So ?

Private CAs are a really useful tool for internal use. I use an
internal CA for my network and use it for the certificate used by my
MTAs, VPN client access, smartcard logon, and a few other
applications. But it's all perfectly ok because if a machine doesn't
have my root CA installed and approved, it has no business requesting
authentication.

TE> I certainly don't follow it for opportunistic https, IMAPS and TLS
TE> encryption to my site, where the clientele is purely members of my
TE> site's organization, or where my MTA uses opportunistic encryption
TE> purely for STARTTLS before SASL authorization. It would be otherwise if
TE> I were running a public web server.

That's fine. Please re-read what I said: I was talking about using
this kind of certificates for public web site, like the one the OP was
pointing at.

TE> I don't agree with OP's view of DNSBLs either, but that's an argument
TE> I'm *not* going to get into.

I feel the same, but i avoided the subject entirely (I don't think I
have anything intelligent to say on the subject that isn't either
obvious or hasn't already been said).

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list