On 10.04.2010 19:04, Mick wrote:
> On Saturday 10 April 2010 16:32:37 Eray Aslan wrote:
>> On 10.04.2010 18:12, Robin Atwood wrote:
>>> That's very interesting, I have puzzled about STARTTLS stuff for years!
>>> How do I make sendmail trust the CAs?
>>
>> This is neither necessary nor recommended for TLS.
>
> Why would that be?
Who do you trust and for what? Adding various third party CA
certificates, i.e. using a PKI infrastructure for SMTP for the general
public:
Pros:
None
Cons:
* If you ever do certificate based access control, you will be in
for a surprise.
* MTA's TLS codes are well known for the more populer ones.
However, code paths that deal with a lot of CA certs are seldom used.
There might be corner cases.
On a more general note, please ask yourself "Do I really need a PKI?"
and avoid PKI if you can. It is a mess and is not the way forward.
--
Eray
