nanog mailing list archives

Re: Gmail and SSL

From: Scott Howard <scott () doc net au>
Date: Tue, 1 Jan 2013 16:04:11 -0800

On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl () iecc com> wrote:

Really, this isn't hard to understand.  Current SSL signers do no more
than tie the identity of the cert to the identity of a domain name. Anyone
who's been following the endless crisis at ICANN about bogus WHOIS knows
that domain names do not reliably identify anyone.


So you're saying that you'd have no problems getting a well-known-CA signed
certificate for, say, pop.mail.yahoo.com?  If you can't, then it would seem
that the current process provides (at least) a better mechanism than just
blindly accepting self-signed certificates, no?

Also keep in mind that this particular argument is about the certs used to

submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
session before you can send any mail.  This isn't belt and suspenders, this
is belt and a 1/16" inch piece of duct tape.


Err.. no it's not.  It's about the certs used when Gmail connects to a
3rd-party host to collect mail.  ie, Google is the client, not the server.

  Scott

Current thread:

Re: Gmail and SSL Christopher Morrow (Jan 01)
- <Possible follow-ups>
- Re: Gmail and SSL Keith Medcalf (Jan 01)
  - Re: Gmail and SSL Christopher Morrow (Jan 01)
  - Re: Gmail and SSL Matthew Palmer (Jan 01)
  - Re: Gmail and SSL Mike Jones (Jan 01)
  - Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Scott Howard (Jan 01)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Valdis . Kletnieks (Jan 02)
  - Re: Gmail and SSL Steven Bellovin (Jan 02)
    - Re: Gmail and SSL Randy Bush (Jan 02)
    - Re: Gmail and SSL Steven Bellovin (Jan 02)
    - Re: Gmail and SSL Seth David Schoen (Jan 02)
    - Re: Gmail and SSL Steven Bellovin (Jan 02)
    - Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
  - Re: Gmail and SSL Christopher Morrow (Jan 02)

(Thread continues...)