> On Jul 26, 2017, at 1:43 PM, valdis.kletni...@vt.edu wrote: > > On Wed, 26 Jul 2017 10:10:53 -0700, Brandon Long via mailop said: >> Why can't smtp software being expected to maintain a list of trusted CAs? >> Or at least run on an OS that is expected to do so. > > Quick: What two CAs did Google just remove from Chrome's list? > > Has your OS vendor followed suit? And what percent of your OS vendor's > installs > are prompt in applying patches?
It doesn't _really_ matter in the context of deciding whether a certificate is being presented by a legitimate domain owner or a MitM. A domain-validated certificate doesn't stop being domain-validated the day it's dodgy CA is removed from the approved list. It's relationship to the domain continues to be about as trustworthy as it was before the CA was smacked down, and still more so than anything self-signed or created using a private CA. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
