Servers do not use it for everything because the cost of using TLS
with X.509 certificates from an entity such as Verisign are on the
order of $700 per server per year per hostname.
THe last time I checked Verisign's prices they were on the order of
$250/year/hostname. I think that's about 100 times too expensive
given the uselessly superficial checking of the identity of
outfit buying the certificat (and I was saying that before the
recent Microsoft circus.)
Strange. I just purchased a 128-bit cert (can you believe they are
still selling 40-bit certs?) and the cost was $895 for the first
server and $695 for each additional server I wanted to be able to use
the certificate on.
If I wanted additional hostnames, they were additional new certs
starting at the base $895. I assume it is possible to get better
rates if you are purchasing bulk licenses. But this does not apply to
a small business with a single server and hostname.
Granted, we could all become our own CAs, but that scares end users
and reduces the trust model because we don't want to train users to
accept a new CA cert from every site they go to.
No, on several counts:
1. The only reason that might scare end users is because of scary
words from browsers, and then only for HTTP. Browsers are not
too-smart-by-half SMTP MUA's not SMTP servers. There are no scary
CA pop-ups from your browser-broken-MUA if you use SMTP for mail
submission.
This point is inappropriate at best. We are talking about using TLS
to provide end to end security for a transfer of content. The SMTP
MUA is not an end point. It is one of the entities we are protecting
the data from. You can't use TLS for that purpose with SMTP. Once
the data has been delivered to SMTP via TLS it can still be tampered
with. That is why you must use OpenPGP to protect your e-mail.
All that TLS does when used with SMTP is verify that you are indeed
talking with the server you want to access; and perhaps protect your
password if you are not using client certificates to prove your
identity.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support(_at_)kermit-project(_dot_)org OpenSSL. SSH soon to
follow.