Alexey wrote (2020-05-07):
AI>> If my current certificate is not good enough then what would be and
AI>> why?
AF> You are using certificate issued by a trusted CA that matches your domain
AF> specified in nodelist, which is fine. If there would be a standard for
AF> binkps requiring INA to be present and contain a valid domain name, then
AF> mailers could verify certificates based on domain names and trusted CA,
AF> as web browsers do. But without a standard there is no security. If there
AF> will be an IP address in the INA field, how can you verify certificate
AF> validity?
and with FTS-5004 (binkp.net) it's also not really secure. we don't even have
an informal agreement how to deal with these addresses does the binkp server
have to offer a cert for it's binkp.net address? or should the binkp client
verify the certificate based on the domain the CNAME / SRV record points to?
of course it always can be treat like a self-signed cert.
---
* Origin: (2:280/464.47)
|
