From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: [9fans] pop3 before smtp
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
To: 9fans@cse.psu.edu
Content-Transfer-Encoding: 7bit
In-Reply-To: <007001c3471e$0ec21fe0$b9844051@insultant.net>
Message-Id: <E8FEC222-B313-11D7-8B4D-000393D34A62@orthanc.ab.ca>
Date: Thu, 10 Jul 2003 14:20:12 -0600
Topicbox-Message-UUID: f43cdd68-eacb-11e9-9e20-41e7f4b1d025


On Thursday, July 10, 2003, at 02:01  PM, boyd, rounin wrote:

>>  From a practical standpoint, you don't need one.
>
> you do.  alice doesn't trust bob and bob doesn't trust alice.

You can put an SSL cert on the server if you really want to verify it's
who it claims to be. (Most people don't seem to care.) You don't need
one for the client, though, as you're verifying it via SASL. (And some
SASL mechanisms can also verify the server side while authenticating
the client, as well as performing encryption of the session. You pick
the one that matches your requirements.)

Again, I'm speaking from a *practical* standpoint, and addressing a
*very* narrow problem space. I, too, would like to see a global PKI
that actually works.

--lyndon