On Wed, May 23, 2007 at 06:34:26PM +0200, Florian Weimer wrote:

> * Victor Duchovni:
> >> That's good of you not to expect it, given that zero of the major CAs 
> >> seem to support ECC certs today, and even if they did, those certs 
> >> would not work in IE on XP.
> >
> > We are not talking about this year or next of course. My estimate is
> > that Postfix releases designed this year, ship next year, are picked up
> > by some O/S vendors the year after and shipped perhaps a year after that,
> > then customers take a few years to upgrade, ... So for some users Postfix
> > 2.5 will be their MTA upgrade in 2011 or later. So we need to anticipate
> > future demand by a few years to be current at the time that users begin
> > to use the software.
> But no one is issuing certificates which are suitable for use with
> SMTP (in the sense that the CA provides a security benefit).  As far
> as I know, there isn't even a way to store mail routing information in
> X.509 certificates.

There is no need to store routing information:


The short summary is that full security is only available when the
receiving MX hosts have certs that match the recipient domain, or
the sender is willing to manually (in his MTA configuration) bind the
recipient domain to the subject names (or in 2.5 fingerprints) of the
appropriate MX hosts.


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to