Sure it does. You have confidentiality between the parties who are speaking together against third-parties merely passively intercepting the communication. Authentication and Confidentiality are two completely separate things and can (and are) implemented separately. The only Authentication which would be of any value to me is if the certificates was issued by me to the other party. Otherwise, one must assume that the certificate is fake for the purposes of authentication (ie, has no more value than a self-signed certificate).
-----Original Message----- From: Michael Thomas [mailto:mike@mtcc.com] Sent: Friday, 6 September, 2013 13:25 To: Eugen Leitl Cc: nanog@nanog.org Subject: Re: The US government has betrayed the Internet. We need to take it back
On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using
On 09/06/2013 12:14 PM, Eugen Leitl wrote: the
tools that have been implemented and deployed for a decade at least.
Of course:
Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate)
doesn't instill a lot of confidence :) It's better than nothing though.
Mike