Subj : -64 and -46 option missing in 101
To   : Alexey Fayans
From : Oli
Date : Thu May 07 2020 12:34 pm

Alexey wrote (2020-05-07):

 AI>> If my current certificate is not good enough then what would be and
 AI>> why?

 AF> You are using certificate issued by a trusted CA that matches your domain
 AF> specified in nodelist, which is fine. If there would be a standard for
 AF> binkps requiring INA to be present and contain a valid domain name, then
 AF> mailers could verify certificates based on domain names and trusted CA,
 AF> as web browsers do. But without a standard there is no security. If there
 AF> will be an IP address in the INA field, how can you verify certificate
 AF> validity?

and with FTS-5004 (binkp.net) it's also not really secure. we don't even have an informal agreement how to deal with these addresses does the binkp server have to offer a cert for it's binkp.net address? or should the binkp client verify the certificate based on the domain the CNAME / SRV record points to?

of course it always can be treat like a self-signed cert.

---
 * Origin:  (2:280/464.47)

.