From: Jeffrey Altman <jaltman(_at_)columbia(_dot_)edu>
To: Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com>
Cc: ietf-openproxy(_at_)imc(_dot_)org, ietf(_at_)ietf(_dot_)org
...
Strange. I just purchased a 128-bit cert (can you believe they are
still selling 40-bit certs?) and the cost was $895 for the first
server and $695 for each additional server I wanted to be able to use
the certificate on.
If I wanted additional hostnames, they were additional new certs
starting at the base $895. I assume it is possible to get better
rates if you are purchasing bulk licenses. But this does not apply to
a small business with a single server and hostname.
When I was looking, I found that Thwate wanted $150 and talked about making
a profit despite being significantly lower than Verisign's pricing. That
was before Verisign purchased Thwate. I see that
http://www.verisign.com/products/site/pricing.html now starts at $350.
1. The only reason that might scare end users is because of scary
words from browsers, and then only for HTTP. Browsers are not
too-smart-by-half SMTP MUA's not SMTP servers. There are no scary
CA pop-ups from your browser-broken-MUA if you use SMTP for mail
submission.
This point is inappropriate at best. We are talking about using TLS
to provide end to end security for a transfer of content. The SMTP
MUA is not an end point. It is one of the entities we are protecting
the data from. You can't use TLS for that purpose with SMTP. Once
the data has been delivered to SMTP via TLS it can still be tampered
with. That is why you must use OpenPGP to protect your e-mail.
All that TLS does when used with SMTP is verify that you are indeed
talking with the server you want to access; and perhaps protect your
password if you are not using client certificates to prove your
identity.
I've previously agreed with Paul Hoffman that SMIME, PGP, or whatever
is needed to really protect content from user to user. However, we are
*NOT* talking about that. The repeated claims or at least implications
that STARTTLS does nothing against the data mugging by interception
proxies are wores than "inappropriate at best." If I didn't think
statements were merely the result of Verisign's and the FSF's effective
propaganda--er--sales information and the old syndrome of igoring the
better in perpetual, hopeless pursuit of perfection, I'd grumble about
shilling for snake oil.
In fact, STARTTLS would put a stop to SMTP interception proxies.
Also in fact, HTTPS wrecks HTTP interception proxies.
Yes, there are key distribution problems with both, but no more so than
with PGP.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com