Re: regarding ssl certificates

Fri, 15 Mar 2019 00:08:21 -0700 

With PKIX validation the certificate should match the hostname.
With SMTP, the hostname should match the reverse IP though often it does not. 

Using subdomains gives you flexibility.
with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is a need for the hostname in the cert to match anything, but DANE validation is currently not used by any mail user agents, only PKIX validation is used by mail user agents.
DANE is used to MTA to MX quite frequently however, so it may come to mail user agents in the near future (near being within a decade or so). 

On 3/14/19 10:03 PM, Gary via dovecot wrote:

Is there some reason to use a mail.domain.com cert for mail rarher than just 
using domain.com for everything?

Historically the subdomain were used because they were on different hardware. 
That is www was on one machine and mail was on another.





          Original Message



From: dovecot@dovecot.org
Sent: March 14, 2019 3:56 PM
To: dovecot@dovecot.org
Reply-to: jtam.h...@gmail.com
Subject: Re: regarding ssl certificates


mick crane wrote:


Apache2 default install has this snake oil certificate
Can make a new one for apache


I won't go over some of the excellent points in previous posts,
but I will mention SAN as a third type of certificate you can make.
LetsEncrypt supports this type of certificate.

This is halfway between single CN and wildcard certificate where you can
combine many hostnames (up to 1000?) into one certificate.  This may
be useful if you want the convenience of handling fewer certificates,
without having an unbounded wildcard certificate (the latter also requires
control over your DNS).  I use this for SMTPAUTH, POP3, IMAP and webmail
services since they are all on one server.

Then Stephan von Krawczynski wrote:


Sorry I have to write this, but this is again pointing people in a fake
security direction.
The only valid authority for a certificate is the party using it. Any third
party with unknown participants cannot be a "Certificate Authority" in its
true sense. This is why you should see "Let's Encrypt" simply as a cheap way
to fake security. It is a US entity, which means it _must_ hand out all
necessary keys to fake certificates to the US authorities _by law_.
Now probably you can imagine why they are giving the certificates out for
free. US authorities can compromise all of them - without any "open knowledge".


Wow, you packed a lot of fear, uncertainty and doubt (and some
misinformation) into one paragraph.  I'll leave it at that.

Joseph Tam <jtam.h...@gmail.com>

Reply via email to