Re: Trivial change in Public Cert behaviour coming soon

[John Levine via NANOG <nanog () lists nanog org>]

It appears that William Herrin via NANOG <nanog () lists nanog org> said:
> On Fri, May 23, 2025 at 12:34 PM John Levine via NANOG
> <nanog () lists nanog org> wrote:
> > It appears that Bjørn Mork via NANOG <nanog () lists nanog org> said:
> > > > I really wish this zombie argument would die.  The people who run mail
> > > > systems are not all stupid, and if client certs were useful, someone
> > > > in the past 30 years would have tried using them.
> > >
> > > I'm not sure what you're trying to say here, but there is no difference
> > > between submission and smtp wrt mutual tls. If the server wants to
> > > authenticate the client, then a client certificate will be useful.
> >
> > If the client authenticates it's submission.  If it doesn't, it's SMTP
> > unless the client later authenticates with SMTP AUTH.
>
> Hi John,
>
> Only traffic on port 587 is explicitly SMTP submission.. On port 25 it
> might or might not be depending on how the client and server choose to
> use the authentication. For example, an MSA can add or change
> message-id, date and sender headers in the message body while an MTA
> is not supposed to.  This happens independent of whether the
> connection to the MTA/MSA is authenticated.

This is a waste of time.  If people want to believe that SMTP clients send
certificates, there's not much I can do to persuade them otherwise.

But in any event, I hope we have established that the number of people
affected by the LE change to stop signing client certs rounds to zero.

R's,
John
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/CO7TWHY7PWI66QZR73BEA7ZIOGNA5NHK/