ietf-mailsig
[Top] [All Lists]

RE: In response to Housley-mass-sec-review

2005-02-25 20:18:09

The issue with end user keys is not the publication mechanism, it is
deployment of the keys in the first place and the management of the key
lifecycle that has presented an intractable problem on an extended scale to
date.

The most sensible approach in my view is to begin by deploying an
infrastructure we are 100% certain is feasible, a solution that is primarily
an edge server solution with domain wide keying.

We should at the same time consider a comprehensive transition strategy that
provides for the extension of the mechanism to provide end user keying in
addition. 

We may never go that far but we should make sure that we do not allow that
option to be precluded because it was not given sufficient consideration or
someone decided to botch the spec to prevent such a transition.



-----Original Message-----
From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org] 
Sent: Friday, February 25, 2005 9:46 PM
To: Hallam-Baker, Phillip
Cc: MASS WG
Subject: RE: In response to Housley-mass-sec-review


On Fri, 2005-02-25 at 17:45 -0800, Hallam-Baker, Phillip wrote:
I still fail to see how you are improving on the paper 
written by Russ 
Housely who I think knows rather more about this area than you have 
demonstrated so far.

The excellent review by Russell Housley raised concerns.  The 
draft I provided offers modest and practical solutions for 
these concerns, while considering their impact and rational.

When done on a per-user per-email-message basis at the MTA, 
requirements for certificates and revocation information 
appear problematic in terms of both storage and traffic 
burden.  While OCSP does not appear well suited for this 
purpose, rather than discussing merits of a particular 
polling scheme, I was attempting to consider just those 
immutable elements.

If you wish to assemble cost/overhead estimates for scaling 
an implementation of certificates to the email user level, 
and I will be happy to include those calculations.  I am sure 
there will be many wanting to review this alternative.

-Doug






<Prev in Thread] Current Thread [Next in Thread>