ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: WG Review: Open Pluggable Edge Services (opes)

2001-06-20 07:40:02
from [Vernon Schryver] [Permanent Link] 
From: Jeffrey Altman <jaltman(_at_)columbia(_dot_)edu>
To: Paul Hoffman / IMC <phoffman(_at_)imc(_dot_)org>
Cc: ietf(_at_)ietf(_dot_)org, ietf-openproxy(_at_)imc(_dot_)org



As for the argument about "TLS everywhere", you have to ask who is 
going to pay for it. The end-user cannot demand it; only the server 
can. TLS is universally available today, and servers rarely use it 
for anything other than getting credit cards or passwords.


Servers do not use it for everything because the cost of using TLS
with X.509 certificates from an entity such as Verisign are on the
order of $700 per server per year per hostname.


THe last time I checked Verisign's prices they were on the order of
$250/year/hostname.  I think that's about 100 times too expensive
given the uselessly superficial checking of the identity of 
outfit buying the certificat (and I was saying that before the
recent Microsoft circus.)


                                                 Why should anyone be
required to pay such an outrageous tax simply to be able to protect
their home photo collection from being tampered with in transit to 
a visitor's browser?

Granted, we could all become our own CAs, but that scares end users
and reduces the trust model because we don't want to train users to
accept a new CA cert from every site they go to.  


No, on several counts:

  1. The only reason that might scare end users is because of scary
    words from browsers, and then only for HTTP.  Browsers are not
    too-smart-by-half SMTP MUA's not SMTP servers.  There are no scary
    CA pop-ups from your browser-broken-MUA if you use SMTP for mail
    submission.

  2. there are no pop-ups, scary or otherwise, when you and other
    SMTP client and server operators exchange certs for sendmail's use.

  2. becoming your own CA is easy, once someone tells you the magic
    Openssl incantation.  

  3. a web of CAs could work similarly to the PGP web of trust.

No, the reason people are not using TLS everywhere is that they don't,
not even here, about avoiding the data muggers.  The rest, including
the poor documentation of what to do in sendmail 8.12, are just excuses.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: WG Review: Open Pluggable Edge Services (opes), Abbie Barbir
Next by Date:  Re: "end-to-end" is important....Re: OPES is evil incarnate, John C Klensin
Previous by Thread:  Re: WG Review: Open Pluggable Edge Services (opes), Michael W. Condry
Next by Thread:  Re: WG Review: Open Pluggable Edge Services (opes), Adam Shostack
Indexes:  [Date] [Thread] [Top] [All Lists]