Forgot to mention here that the point I was making here
is for deployment of email encryption as an end in itself.
If spam helps bootstrap that, it is not a bad thing, but
the client email encryption problem needs solving.
Phill
-----Original Message-----
From: Hallam-Baker, Phillip [mailto:pbaker(_at_)verisign(_dot_)com]
Sent: Wednesday, April 02, 2003 6:37 PM
To: 'Vernon Schryver'; 'asrg(_at_)ietf(_dot_)org'
Subject: Re: [Asrg] RE:ASGR 8a Use of certificates
Outlook and outlook express both support s/mime and have done
for a very
long time
Notes also has smime support since release 5 and before that did PEM.
Webmail can be upgraded without much difficulty, the code
already exists in
windows and open ssl.
There are a few infrastructure and plumbing bits missing,
inparticular lets
get support for free self signed certs in the clients. Lets
get some better
cert discovery infrastructure out there. Nothing impossible.
These are not the only options.
The key is to realize that a lot of the problems of PKI came
from a broken
directory model that assumed we were going to transition to
OSI and ignored
the DNS
-----Original Message-----
From: Vernon Schryver
Sent: Wed Apr 02 15:16:11 2003
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] RE:ASGR 8a Use of certificates
From: "Tom Thomson" <tthomson(_at_)neosinteractive(_dot_)com>
...
SMTP-AUTH is specifically desgigned for a closed trusted
environment
(read the RFC - the words it uses are "within a trusted
enclave") so
it's not at all surprising that it hasn't been deployed to solve a
problem in a wide-open uncontrolled environment. Do SUBMIT or
SMTP-TLS have relevance to our issue any more than
SMTP-AUTH does? I
think not!
I think that caveat about SMTP-AUTH is merely a statement of the fact
that talk about authenticating strangers is nonsense. Authentication
is only half of authentication and authorization. Does it make sense
to trust everyone outside your trusted enclave?--of course not! You
cannot know whether a stranger, whether authenticated or not, sending
you mail is also sending copies to 50,000,000 of your closest friends.
Authentication is meaningless outside "a trusted enclave."
Although some MUAs have signature/checking capabilities,
rather a lot
have no such capability. Do any of the webmail systems have such
capability? Even where an MUA has the capability, is it usable by
the average user? Plainly and simply, the signature and checking
capabilities of current MUAs are not designed to address our issue.
I think that is wrong, because I think most people use
Netscape, Outlook,
or Outlook express. I know Netscape has long handled
cert-signed mail,
because I've tried it. I've not tried Outlook (Express), but I've the
impression they also can do it.
Post Script: I suspect vernon will be very unhappy if the group
ends up supporting approaches other than one particular one; but
I'm not going to decry that particular one because it wasn't
invented here, and I just wish he would show other members of this
list that same courtesy. We are going to need to apply lots of
partial solutions and not reject anything that is useful just
because it will not solve more than 90% of the problem on day one.
Just for my own information, could you let me know which approach I
prefer?
I can't think of anything that might qualify as a solution to spam
except what I think is inevitable legislation that will tax or license
bulk mail. That will not really solve the spam problem but
only change
the spammers and limit the total spam in most mailboxes. I do hope
that the DCC might help with spam after that legislation, but it does
not qualify as a solution now or then.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg