On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine <johnl@iecc.com> wrote:
Really, this isn't hard to understand. Current SSL signers do no more than tie the identity of the cert to the identity of a domain name. Anyone who's been following the endless crisis at ICANN about bogus WHOIS knows that domain names do not reliably identify anyone.
So you're saying that you'd have no problems getting a well-known-CA signed certificate for, say, pop.mail.yahoo.com? If you can't, then it would seem that the current process provides (at least) a better mechanism than just blindly accepting self-signed certificates, no? Also keep in mind that this particular argument is about the certs used to
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL session before you can send any mail. This isn't belt and suspenders, this is belt and a 1/16" inch piece of duct tape.
Err.. no it's not. It's about the certs used when Gmail connects to a 3rd-party host to collect mail. ie, Google is the client, not the server. Scott