On Mon, Dec 08, 2003 at 14:22:05 -0500, Terence Way wrote:
* More than 224,000 open relays (ordb.org) I assume some if not most
are due to careless administrators, and these same careless
administrators are going to correctly use certificates?
Hell no... but:
1. You can't simply put in your favorite Linux-Disto and have a live and
absuable SMTP-Gateway, you have to get a certificate for it
2. This certificate takes time and money to get - and you would give
great care to not lose it or get bad credit - because if this
certificate is once revoked or known as spammer host, you'll have to
take some time and money to get you server back in business.
3. Avarge Joe doesn't know how to install a certificate in his
smtp-server, thus less servers in a "live and operative" state would be
in the net.
* There is very little incentive to steal keys right now. Client
certificates are generally useless, server certificates are only good
if you can control the domain name as well. Correct me if I'm wrong,
but even if I have www.vendor.com's private key, I still can't snoop in
on SSL conversations, and I can't hijack the site unless I hijack the
DNS entry as well. Look at the tremendous lengths spammers have gone
through to make e-mail unusable: deter spam using PKI and I suspect
we'll see a healthy black market of sender certificates.
Well, the smtp-server connects to another server with a client
certificate... thus they _are_ needed... and this client-certificate
(+key) would allow you authenticate as the other server - it might
trigger an alarm that the dns and the cert's don't match, but at least
in postfix it's up to you if you consider that a thread.
One big advantage of a CA system is, that it's issued based on the
location - so if you don't want any mails from CN then you don't get any
mail from there (not like these days where you can't really tell where
this .com originates - at least in a reasoable way without 6 whois
lookups ;) )
The basic point is, trust DNS. If the key fingerprints are to be put
into DNS, then we trust DNS anyway, and we can eschew the PKI.
The problem here is that DNS is a untrustworthy, non authenticatable
service - with DNSSEC this might change... in a PKI you can exactly say
"who he is" and "who has said who it is" and you can determine yourself
if you want to trust certs signed by ca.throwaway.com - rather then
filling up your blacklist with throwaway-domains.
my 2c
Philipp
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡