ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Microsoft takes over British Telecom

2011-10-31 17:10:53
from [Paul Smith] [Permanent Link] 
On 31/10/2011 18:28, Douglas Otis wrote:
Kerberos was suggested as a way to avoid much of the overhead related with processing certificates at each exchange. It also provides a way to offer layered protections, such as selectively enabling firewall subsequent to completion of a Kerberos exchange. Kerberos exchanges would be at much much lower rates than that demanded by SMTP. 
I'm struggling with the Kerberos idea
If you want to send a message to me, that means you need to authenticate with 'my' kerberos server? What authentication details do you use? Do I have to contact you to give you authentication details to my server? Surely that can't be the case, but how else would the authentication work? (or would the sender authenticate *with itself* via the receiver? I can see that working in theory, but would be complicated and I can't see how it would work with a standard kerberos implementation)
Given that most of our customers are business with < 25 users, many of whom have their MX records pointing to their own MTA, how would this work? Most want to use their own MTA because their ISPs are useless, and switching to their own MTA gives them enhanced reliability and control.
I can't see them rushing to sign up to a third party kerberos server (probably with extra fees and unknown reliability). Does this mean we'll be needing to create our own kerberos server to run alongside our mail server software? Most of our customers use Windows desktop OSes (eg Windows XP, Windows 7 etc), which, AFAIAA don't give you kerberos services.
Using kerberos only makes sense if everyone who has a legitimate mail server has kerberos, which obviously isn't the case.
Kerberos was suggested as a way to avoid much of the overhead related with processing certificates at each exchange. 
Does this mean that STARTTLS is undesirable as well?
Is the calculation of a signature that problematic? It's relatively CPU intensive, but low bandwidth. I'd have thought most mail systems would be I/O bound rather than CPU bound (unless they're doing antispam/antivirus, in which case a calculating/checking a signature is a relatively miniscule extra load). DKIM already generates/checks signatures, and with much more data & complexity. 



_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] MTA Authorization/Authentication, Douglas Otis
Previous by Thread:  Re: [Asrg] MTA Authorization/Authentication, Douglas Otis
Next by Thread:  [Asrg] SPF and forwarding (was: Microsoft takes over British Telecom), Peter J. Holzer
Indexes:  [Date] [Thread] [Top] [All Lists]