On 31/10/2011 18:28, Douglas Otis wrote:
Kerberos was suggested as a way to avoid much of the overhead related
with processing certificates at each exchange. It also provides a
way to offer layered protections, such as selectively enabling
firewall subsequent to completion of a Kerberos exchange. Kerberos
exchanges would be at much much lower rates than that demanded by SMTP.
I'm struggling with the Kerberos idea
If you want to send a message to me, that means you need to authenticate
with 'my' kerberos server? What authentication details do you use? Do I
have to contact you to give you authentication details to my server?
Surely that can't be the case, but how else would the authentication
work? (or would the sender authenticate *with itself* via the
receiver? I can see that working in theory, but would be complicated and
I can't see how it would work with a standard kerberos implementation)
Given that most of our customers are business with < 25 users, many of
whom have their MX records pointing to their own MTA, how would this
work? Most want to use their own MTA because their ISPs are useless, and
switching to their own MTA gives them enhanced reliability and control.
I can't see them rushing to sign up to a third party kerberos server
(probably with extra fees and unknown reliability). Does this mean we'll
be needing to create our own kerberos server to run alongside our mail
server software? Most of our customers use Windows desktop OSes (eg
Windows XP, Windows 7 etc), which, AFAIAA don't give you kerberos services.
Using kerberos only makes sense if everyone who has a legitimate mail
server has kerberos, which obviously isn't the case.
Kerberos was suggested as a way to avoid much of the overhead related
with processing certificates at each exchange.
Does this mean that STARTTLS is undesirable as well?
Is the calculation of a signature that problematic? It's relatively CPU
intensive, but low bandwidth. I'd have thought most mail systems would
be I/O bound rather than CPU bound (unless they're doing
antispam/antivirus, in which case a calculating/checking a signature is
a relatively miniscule extra load). DKIM already generates/checks
signatures, and with much more data & complexity.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg