ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Anti-spam news article / S/MIME Gateways

2004-06-24 21:44:08
from [Hallam-Baker, Phillip] [Permanent Link] 

Trevor,

        The CMS format is fine, 95% of the spec is fine.

        The problem is that there is a 5% gap between what S/MIME delivers
and what is needed.

        I think we can close the gap, the key is to throw away the bone
headed insistence that some people had concerning the end to end model or
nothing. We tried that for ten years, we ended up with nothing. IPSEC makes
a lousy VPN protocol for the exact same reason, give me something that
really works through a NAT box without complaint any day.

        What is needed is more than just better discovery protocols, or
logos in the certs. We need better client interfaces, we also need an in
band signalling mechanism so you know that when S/MIME enhancements are
being added that the channel can support them, including stripping them out
if some appliance or client turns out not to support them.

        [Draft to follow]

                Phill


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Trevor 
Freeman
Sent: Thursday, June 24, 2004 1:42 PM
To: Ben Littauer; ietf-smime(_at_)imc(_dot_)org
Subject: RE: Anti-spam news article / S/MIME Gateways



Hi Ben
I agree there are issues with the trust mechanisms etc. Domain signing
is a good idea. What has that to do with the format and 
encoding of how
you sign a message? What part of CMS is so horribly broken 
that we need
another signature format?
Trevor

* -----Original Message-----
* From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]
* On Behalf Of Ben Littauer
* Sent: Wednesday, June 23, 2004 6:34 AM
* To: ietf-smime(_at_)imc(_dot_)org
* Subject: Re: Anti-spam news article / S/MIME Gateways
* 
* 
* There's scalability and there's scalability.
* 
* The problem with desktop to desktop PKI is both the 
directory problem
* (i.e.
* key discovery and distribution) and the administration problem
(issuance,
* renewal, and revocation of certificates).  Domain-level PKI reduces
the
* scale of both problems by several orders of magnitude.  Solving the
domain
* level problems first will perhaps give some clue to the mechanisms
* required
* for the desktop implementation, should it ever become required.
* 
* -ben-
* 
* > From: "Trevor Freeman" <trevorf(_at_)exchange(_dot_)microsoft(_dot_)com>
* > Date: Tue, 22 Jun 2004 11:15:39 -0700
* > To: "Craig McGregor" 
<Craig(_dot_)McGregor(_at_)treasury(_dot_)govt(_dot_)nz>, "Russ
Housley"
* > <housley(_at_)vigilsec(_dot_)com>, <ietf-smime(_at_)imc(_dot_)org>
* > Subject: RE: Anti-spam news article / S/MIME Gateways
* >
* >
* > Hi Craig,
* > While I understand you comments about closed groups. The real
problem
* > with scaling beyond closed groups is, as you point out, trust
* > mechanisms. What I fail to see is why we need a different 
signature
* > format to deploy a more scalable trust mechanism.
* > Trevor
* >
* > * -----Original Message-----
* > * From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
* > [mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]
* > * On Behalf Of Craig McGregor
* > * Sent: Monday, June 21, 2004 8:12 PM
* > * To: Russ Housley; ietf-smime(_at_)imc(_dot_)org
* > * Subject: RE: Anti-spam news article / S/MIME Gateways
* > *
* > *
* > *
* > * >Tumbleweed Chief Executive Jeff Smith says there's a lot of
* > * misunderstanding about
* > * >S/MIME, because it was created as a desktop encryption
technology. He
* > * argues it's
* > * > also simple and cost-effective to use as a gateway
authentication
* > * technology, and
* > * > that its quality advantages make it the best choice. 
Tumbleweed
* > would
* > * like to work
* > * > with Yahoo to merge their technologies.
* > *
* > * S/MIME gateway software in the context of a 
'closed-community' is
a
* > * proven method of authenticating the sending domains of e-mail
messages
* > * and has been effective at blocking increased volumes of spoofed
e-mail
* > * messages (providing they were sent from a participating domain).
And
* > of
* > * cause using S/MIME encryption protects one from in-transit
* > eavesdropping
* > * too!
* > *
* > * Applying what is quite managable in a 'closed-community' for an
* > * Internet-wide deployment would be somewhat more challenging
though.
* > * Particularly around certificate deployment, trust-chains and
* > * auto-discovery (assume DNS for internet-wide; a 
'closed-community'
* > could
* > * use LDAP). I think that is why domain keys proposes to trust DNS
data
* > as
* > * being authorative without any further validation.
* > *
* > * Craig.
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* > *
* >
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Anti-spam news article / S/MIME Gateways, Ben Littauer
Next by Date:  Re: Anti-spam news article / S/MIME Gateways, David P. Kemp
Previous by Thread:  Re: Anti-spam news article / S/MIME Gateways, Ben Littauer
Next by Thread:  Re: Anti-spam news article / S/MIME Gateways, David P. Kemp
Indexes:  [Date] [Thread] [Top] [All Lists]