P.S. for client access (SMTP submission) validation is also important, whole chain must be provided for better compatibility.
13.09.2018 16:30, Vladimir Dubrovin пишет: > > For opportunistic TLS, there is no difference between certificate > signed by CA and self-signed certificate (or even unsigned), because > cerificatate is usually not validated. Certificate validation is > useless here, because opportunistic TLS falls back to cleartext anyway. > > For DANE, again there is no difference, because certificate is pinned > via DNS. > > For SMTP STS validation is important and you better provide whole > certificate chain (except self-signed root CA) for compatibility. > > 13.09.2018 15:56, Christian пишет: >> Hey, >> >> I was wondering what the best practice is regarding certificate >> chains provided through SMTP. >> >> Should you present the entire certificate chain including the CA or >> just the certificate and all intermediate certificates? >> >> As I understand it the CA has to be in the trust store of the other >> party anyways since it makes no sense to trust all other certificates >> if there is no trusted CA, even if the server provides it. If the >> provided (or not provided) CA is not in the trust store it is as good >> as a self-signed/unsigned certificate (chain), isn't it? >> Even if this might be true, is it still best practice to provide the CA? >> >> Of course, the matter is different with DANE since you can argue a >> "pinned" certificate is better than one signed by a CA. >> >> Can someone shed some light on how off I am on this topic? >> >> Thanks, >> Christian >> >> PS: Do best practices differ from the those for HTTPS? >> >> >> >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > -- > Vladimir Dubrovin > @Mail.Ru -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
