From: Theo Schlossnagle
Sent: Wednesday, May 26, 2004 8:41 PM
I'm practical person too.
The following makes this particularly clear.
Full PKI isn't really that expensive and the beauty of it is that is
doesn't victimize anyone. As for signing and verification, the cost
for reasonable performance is really minimal (as in most people won't
need hardware acceleration). With a $1000 crypto card in a server you
can do 4,000 or so signs or validates per second. 4,000
messages/second is above our test lab results for Ecelerity. We can
really only push about 2000 message/second over SMTP in our lab (about
7.2 million message/hour). As people are striving for these lab
results in real life and 300 message/second on a single server seems to
satisfy most people with performance concerns, PKI just doesn't seem
that intimidating.
We'll see how the DomainKeys stuff plays out, that stuff looks exciting
too.
Well, I have to admit, I'm totally flabbergasted. A CBV is far too
expensive and abusive, but fetching a cert from a CA, pulling out the key
and validating the private key signature is fine. You also have to buy a
cert from VeriSign or their ilk for every employee at a company. Using the
PKI probably takes three times the network bandwidth and a boatload of CPU,
even with a hardware accelerator, but at least we don't have to do a CBV!
I'm glad that you think it's worth all this cost simply to avoid a CBV that
_might_ not be to the message originator. At least we're clear your
objection to CBV is not based on technical or economic grounds.
--
Seth Goodman