Hi Viktor, On Tue, May 20, 2014 at 14:21:22 +0000, Viktor Dukhovni wrote: > Facebook made the same mistakes you did: > > http://www.metzdowd.com/pipermail/cryptography/2014-May/021344.html
In that thread you say that CA certs are futile for SMTP servers. I think that the statement is untrue: CA certs can be useful also for SMTP. The application is enforced TLS encryption with the "secure" level for important partner domains. At my company we do it a lot like this: foo.ch secure match=.foo.ch bar.ch secure match=.bar.ch You might say that DANE is better, and I agree, but CA certificates are the current solution to this problem, and certainly will remain important until DANE becomes more widespread. Also, we don't do "fingerprint" because we don't want to maintain the fingerprint database (and deal with sudden changes, etc.). Cheers David
