Valdis,
It is already more or less required that organizations buy
a CA-issued
SSL cert to operate a web site dealing in credit card transactions.
Now, is that *legally* required, or is that simply the guys
at Visa and Mastercard saying "We won't clear transactions
for you unless you...."
I believe it to be the latter.
Actually, I'm not sure it is either of these. But people with a brain will
not use an e-commerce site which is not using encryption, and the vendor is
(theoretically at least) liable for negligence if someone manages to
intercept the credit card info because it was sent in the clear. I say
"theoretically" because 1) it seems more likely that credit cards are stolen
by server machines being broken into and 2) I've never heard of a lawsuit
happening because of this.
Maybe it is not so farfetched that they should do this (or
maybe use
the same cert) to also operate a mail server?
Hmm.. if AOL and Hotmail and Yahoo were to insist on it, it
might have a snowball's chance of flying. The big question
is whether there's enough supply of SSL accelerator cards,
and if certs were economically feasible.
The question of CPU load is interesting. I'm not sure how much trouble this
would cause for anyone except the largest ISPs. Arguably it may decrease
the load on servers, since many (most? all? ;) spammers sending mail these
days would not be able to send mail at all under this scheme.
I am aware that some MTAs have support for this sort of thing currently, but
I have to confess ignorance of how it is actually implemented... this is
something I should read up on.
Remember there's a lot of .com's and .org's that are 1 or 2
boxes in a colo, or a box or two in a closet in somebody's
basement (literally half my personal mail goes to places that
are at the skinny end of an ADSL or cable modem). If you can
think of a way to deploy this without bankrupting those
places (they'd not need an SSL card for 100 smtp-over-ssl a
day, but a full-blown .COM cert may put their budget over the
edge). Any ideas?
CA-issued SSL certs are around $100/yr. Little guys like this could get
around the requirement by relaying mail through their ISP, maybe (who could
have a list of allowed relays by IP). If an ISP can't afford $100/yr for an
SSL cert, they have bigger problems. (Most ISPs will have one already for
doing secure HTTP anyway.)
Remember, I'm talking about requiring an SSL cert to *initiate* an SMTP
session; you could still receive mail without one.
-J
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg