On May 26, 2004, at 10:11 PM, Seth Goodman wrote:
We'll see how the DomainKeys stuff plays out, that stuff looks
exciting
too.
Well, I have to admit, I'm totally flabbergasted. A CBV is far too
expensive and abusive, but fetching a cert from a CA, pulling out the
key
and validating the private key signature is fine. You also have to
buy a
cert from VeriSign or their ilk for every employee at a company.
Using the
PKI probably takes three times the network bandwidth and a boatload of
CPU,
What? Where is purchasing a cert for every employee in the DomainKeys
specification?
PKI is probably 3x more expensive? That isn't so, but you can feel
free to do a IP diagram to prove me wrong.
Boatload of CPU? Not really, signing and verifying in PKI systems is
quite fast on today's inexpensive commodity hardware.
even with a hardware accelerator, but at least we don't have to do a
CBV!
No and Yes. No it isn't that expensive. Yes, at least we don't have
to do a CBV.
I'm glad that you think it's worth all this cost simply to avoid a CBV
that
_might_ not be to the message originator. At least we're clear your
At some large sites we see 9/10 messages as spam+virii. You said
yourself that most spam is sent with forged sender and we all know that
most virii are. So _might_ turns into likely.
objection to CBV is not based on technical or economic grounds.
CBV is cheap! It burns other people's money and resources. Even
spending victims' money, performing a CBV has local resource costs. I
submit that $/message/second CBV is more expensive to implement that
PKI validation. That of course is speculation on my part. We have
built a system that can perform 500,000+ inline CBVs per hour, but have
not yet built DomainKeys support in -- its on the todo list. After we
add support for DomainKeys we'll know better.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth