On 3 Jun 2023, at 01:56, Jacob Bachmeyer <jcb62...@gmail.com> wrote: > > Alexander Leidinger via Gnupg-users wrote: >> [...] >> >> I don't remember if there was a challenge/response or not. As I still have >> the email with the signed key, I can tell that the signature can arrive via >> a TLS encrypted SMTP channel directly from governicus (and they have a SPF >> setup but not DKIM): >> ---snip--- >> >> Received: from smtp.governikus.de (smtp.governikus.de [194.31.70.126]) >> (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >> key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 >> client-signature RSA-PSS (4096 bits) client-digest SHA256) >> (Client CN "VPR-BOS004.dmz.bosnetz.de", Issuer "VPR-BOS004.dmz.bosnetz.de" >> (not verified)) >> >> ---snip--- >> > > Am I misreading that header or does Governikus' outgoing SMTP have a > self-signed client certificate for 'VPR-BOS004.dmz.bosnetz.de'? That does > not inspire confidence…
I wouldn’t read too much into this. The client cert here is probably used for internal purposes, and their MXes may be configured to offer their client certs by default - external sites won’t check it anyway, so no harm done. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
