From: "Kee Hinckley" <nazgul(_at_)somewhere(_dot_)com>
The actual impact of these changes is tiny. So far people have
legitimately pointed
out:
1) Now, you can use TLS to the end server.
2) You get feedback from one hop later if you do the SMTP yourself.
3) You are talking about regulating the creation of at least three
brand new industries that don't even exist right now.
Nonsense. CAs already exist. There are already both commercial and
nonprofit organizations that provide blacklists. There already exist
companies like IronPort that work with TRUSTe. It's not very different at
all.
4) You repeatedly ignore the cost issue--in fact, you don't even
understand the current costs for services like those you describe,
let alone what the potential costs would be.
We keep telling you--based on our experience selling, supporting,
writing and working with commercial email and commercial companies
that this is not a trivial change. Please explain how your real
world experience differs.
Gee, I used to run our division's mail server that way. Then the firewall
admins (off in another city) changed the rules without telling me. It took
me a whole half hour to fix the problem so I forwarded through our corporate
SMTP server. Wow, big deal. I was pissed they didn't tell me in advance,
but hardship? No. It _was_ a trivial change, from my personal experience.
All you have said amounts to "we don't do it that way now."
I also have experience with the two _actual_ drawbacks anybody has
mentioned.
1) Now, you can use TLS to the end server.
2) You get feedback from one hop later if you do the SMTP yourself.
Our legal and technical staff (at the largest medical laboratory testing
company) determined that SMTP over TLS was not adequate to meet HIPAA
privacy regulations, but end-to-end S/MIME or PGP was. They also determined
that SMTP by itself was inadequate to guarantee that a message was
delivered. (S/MIME receipts would be, if they were widely available.) I
completely agree with these decisions.
I checked on your claim that outgoing SMTP is some very limited, expensive
service to get from a third party. Ha! What I found was that practically
every web-hosting company throws it in for free. Or, a company that
provides incoming mail services, "for Outgoing SMTP Service, add $10/year".
As to the cost of certificates, I don't know. We should bring in people who
are knowledgeable about the procedures and costs for different kinds of
certificates. It has to be compared to the cost of other solutions or doing
nothing at all.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg