[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] TLS certificate validation
|
From: |
Lyndon Nerenberg |
|
Subject: |
Re: [Nmh-workers] TLS certificate validation |
|
Date: |
Mon, 26 Sep 2016 16:59:23 -0700 |
> On Sep 24, 2016, at 9:43 AM, Jeffrey Honig <address@hidden> wrote:
>
> Any system that does not maintain up-to-date certificates is just broken; an
> invitation for security vulnerabilities to be exploited in situations where
> expired or revoked certificates can be exploited. Validating the certificate
> chain should be the default and any other option available should come with
> language that strongly discourages their use. Doing anything else would be
> giving people a false sense of security.
The tricky part of this is writing the fall-back code in the client. And
especially for nmh, where 24x7 always-connected-via-ethernet-to-the-internet is
not a given.
There are a lot of fallback scenarios that have to be dealt with if we are to
preserve the security (and therefore trust) model implied by TLS.
It's enlightening to read the HIPAA security requirements for email. That's
the security regime I work in, and it *really* makes you pay attention to what
*all* the components of your systems are doing.
- Re: [Nmh-workers] TLS certificate validation, (continued)
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Ken Hornstein, 2016/09/25
- Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/25
Re: [Nmh-workers] TLS certificate validation, Valdis . Kletnieks, 2016/09/24
Re: [Nmh-workers] TLS certificate validation,
Lyndon Nerenberg <=