On Sun, Nov 30, 2014 at 07:00:15PM -0500, Robert Moskowitz wrote:
> >I am not suggesting you do this, but since you asked...
>
> As so often, Viktor, you get right to the 'key' point. Yes, why bother. Is
> it any faster if it has a lot of root CA files to check against?
The performance cost is not an issue.
With CApath, the performance is largely idpendent of the number of
CAs, until you start trusting more than ~65,000 CAs at which point
there is a negligible logarithmic cost due to collisions of the
32-bit hashed issuer DNs.
> So leave it alone. Just another interesting message happening. Nothing
> REALLY interesting, move along...
Correct. In 2.13 (or whatever number we assign to the release
after next), we may add a forensically useful (even if not a
proactive defense) way to employ trusted CAs to "try" to authenticate
SMTP servers. You'll know that some connections happened to be
protected, and would need to employ log analysis to look for
anomalies indicative of MiTM attack in order to take advantage of
such forensic evidence.
--
Viktor.
