Hey, I was wondering what the best practice is regarding certificate chains provided through SMTP.
Should you present the entire certificate chain including the CA or just the certificate and all intermediate certificates? As I understand it the CA has to be in the trust store of the other party anyways since it makes no sense to trust all other certificates if there is no trusted CA, even if the server provides it. If the provided (or not provided) CA is not in the trust store it is as good as a self-signed/unsigned certificate (chain), isn't it? Even if this might be true, is it still best practice to provide the CA? Of course, the matter is different with DANE since you can argue a "pinned" certificate is better than one signed by a CA. Can someone shed some light on how off I am on this topic? Thanks, Christian PS: Do best practices differ from the those for HTTPS?
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
