ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Its all over for Challenge Response

2004-03-03 21:31:43
from [Mark Baugher] [Permanent Link] 
Phill,

At 05:51 PM 3/3/2004, Hallam-Baker, Phillip wrote:

> How could that be since STARTLS is hop-by-hop and not
> end-to-end?  This is comparing apples and oranges, isn't it?

No, end-to-end security is a bogus concept.


This statement is in the spirit of the list.



Sure it looks great in theory, but the cost of deploying all
those end user certificates is simply beyond most enterprises.


It seems to me that your pinning the apparent failure of X.509
PKI on the end-to-end security concept.

I use PGP Mail whenever I need authentication and encryption.
I consider it to be successful for my personal use.



If you look at the problem from a risk assement point of view
it is entirely reasonable to secure email internaly by using
SSL to secure communication with the email server and then to use
SSL to secure the hop over the Internet where the email is
most likely to be intercepted.


There are two problems with this notion.  The first is that
various intermediate systems have access to the communication
to read and alter.  The second is that there is no guarantee
that any pair of intermediate systems actually secure the
hop between them.  The secure connection established by the
two systems is appropriate for their own security needs rather
than for the end-to-end traffic they convey over that connection.



Sure there is a residual risk, my mail server can be compromised.
But the cost of deploying SSL based encryption is small, the
benefit is huge. It does not hurt to deploy both. The big downside
of SSL is not that it is hop-by-hop, the real problem is that
you cannot be confident it will be applied.


Yes, I agree.  And it would be completely unacceptable for
two communicating endpoints wanting integrity and confidentiality
of their communication.



Sure they might be apples and oranges. But if you put apples
and oranges together you have a fruit salad.


I do think STARTLS might have a role to play in antispam if
there were some scalable way to do the authorization.

Mark




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Re: Request for MS CID XML samples..., Yakov Shafranovich
Next by Date:  RE: [Asrg] Its all over for Challenge Response, Hallam-Baker, Phillip
Previous by Thread:  Re: [Asrg] Its all over for Challenge Response, Yakov Shafranovich
Next by Thread:  RE: [Asrg] Its all over for Challenge Response, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]