ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Its all over for Challenge Response

2004-03-03 21:56:46
from [Hallam-Baker, Phillip] [Permanent Link] 


Sure it looks great in theory, but the cost of deploying all
those end user certificates is simply beyond most enterprises.


It seems to me that your pinning the apparent failure of X.509
PKI on the end-to-end security concept.


No, SSL and Authenticode are tremendously successful, the best 
security we have on the Internet in fact. It is the email area
where we have failed - until we started to use STARTTLS.
 

I use PGP Mail whenever I need authentication and encryption.
I consider it to be successful for my personal use.


I don't consider PGP to be any more successfull, i get far more
S/MIME signed messages than PGP and that is ignoring the S/MIME
bias from PKIX and S/MIMe list membership. The vast majority
of MUAs support S/MIME and have done for years.

The failure has been getting the end users to participate.
it was just too hard.


If you look at the problem from a risk assement point of view
it is entirely reasonable to secure email internaly by using
SSL to secure communication with the email server and then to use
SSL to secure the hop over the Internet where the email is
most likely to be intercepted.


There are two problems with this notion.  The first is that
various intermediate systems have access to the communication
to read and alter.  


Sure, but that is irrelevant. Almost none of the email on the
internet is encrypted in any form. The vast majority of messages
that are encrypted use STARTTLS.


The second is that there is no guarantee
that any pair of intermediate systems actually secure the
hop between them.  The secure connection established by the
two systems is appropriate for their own security needs rather
than for the end-to-end traffic they convey over that connection.


Again, wrong comparison. STARTTLS is a bicycle. It has nowhere 
near the power and capabilities that a tank offers. But it will
get you to your destination far faster than walking.


Sure they might be apples and oranges. But if you put apples
and oranges together you have a fruit salad.


I do think STARTLS might have a role to play in antispam if
there were some scalable way to do the authorization.


The problem is advertising the fact you support STARTTLS in
the DNS.

it is not an authorization problem.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Its all over for Challenge Response, Mark Baugher
Next by Date:  [Asrg] 3b. SMTP Session Verification - STARTTLS, Yakov Shafranovich
Previous by Thread:  RE: [Asrg] Its all over for Challenge Response, Hallam-Baker, Phillip
Next by Thread:  [Asrg] 3b. SMTP Session Verification - STARTTLS, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]