ietf-asrg
[Top] [All Lists]

RE: [Asrg] Re: 2. Uselessness of C/R

2006-09-25 14:55:05
It is no longer true that tinkering with the Internet at the edges is easier 
than the middle. It has not been true for at least a decade.

It is utterly impractical to change the core Internet. Changing the edge is 
very very slow.

The only place where change is practical is the interface between the network 
and the Internetwork.

This means abandoning the myth that hosts connect to the Internet, they don't 
and they won't in future either.

If we are to have security we have to apply Butler Lampson's concept of a 
security reference monitor and realize that in the network  context this is a 
firewall or other edge security device.


We could change the S/MIME spec but that would eliminate the advantage of using 
S/MIME and create even more problems as legacy S/MIME clients misbehave when 
they see the new S/MIME. S/MIME does not cope with upgrades gracefully. 
Introducing a parallel spec is far more effective and simpler.

-----Original Message-----
From: Yakov Shafranovich [mailto:research(_at_)solidmatrix(_dot_)com] 
Sent: Wednesday, January 28, 2004 7:17 PM
To: Hallam-Baker, Phillip
Cc: ASRG
Subject: Re: [Asrg] Re: 2. Uselessness of C/R

Hallam-Baker, Phillip wrote:
While we are on the topic of S/MIME: currently majority of 
MUAs have 
S/MIME support built-in including root certificates. Why is that no 
banks or financial companies that are suffering from "phishing" 
attacks, consider signing their email via S/MIME?


I know several banks that are considering it. The 
disadvantage is that there
are email users with MUAs that don't handle S/MIME. The big 
problem is that
Eudora is effectively an orphan code-base with little 
serious development
work.


Any ideas on what is the percentage of users that do not have 
S/MIME? If 
MSFT, Mozilla, etc. and the other MUAs cover a virtual 
majority of the 
market, and would cover a majority of users affected by the phishing 
attacks, why aren't the banks deploying it? It would be 
easier to tinker 
with the edges of the network, rather than the center.

There is a private working group looking at this. Yahoo! 
Domain keys looks
like a better fit for what it is intended to achieve.


Wouldn't a profile of S/MIME that stores keys in DNS achieve 
essentially 
the same thing?

Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Power tends to corrupt, and absolute power corrupts 
absolutely" (Lord 
Acton)
-------


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg






_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Asrg] Re: 2. Uselessness of C/R, Hallam-Baker, Phillip <=