[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Proven solution for authenticating messages

To: Prasenjeet Dutta <bulk@chaoszone.org>
Subject: Re: [Asrg] Proven solution for authenticating messages
From: Hadmut Danisch <hadmut@danisch.de>
Date: Tue, 4 Mar 2003 10:39:23 +0100
Cc: asrg@ietf.org, mike.pearson@ssc.govt.nz
In-reply-to: <3E6453B9.2080905@chaoszone.org>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <7B170C5E4008D311ABB70008C7D3825B03BC340E@saison.ssc.govt.nz> <20030303213350.GA13559@danisch.de> <3E6453B9.2080905@chaoszone.org>
Sender: asrg-admin@ietf.org
User-agent: Mutt/1.4i

On Tue, Mar 04, 2003 at 12:50:25PM +0530, Prasenjeet Dutta wrote:
> 
> It could also be because most PKI infrastructure is based on the X.509 
> model, which (though scalable) requires folk needing a certificate to 
> cough up cash to CAs like Verisign. Also, for secure personal 
> communication (as opposed to electronic commerce), PGP has been arguably 
> far more popular than S/MIME. Especially given its free, bottom-up 'web 
> of trust' model, PGP may well succeed where the top-down X.509 has
> not.

PGP (as we know it) will never do this job, since it lacks the
structure that X.509 has. PGP trust is based on a cloud of friends and
acquaintances, you will never get a working trust structure covering
the world wide email network.

> Again, what is the goal of using TLS for email? Securing the messages? 
> That opens up a new battle with the monitoring agencies. Or is it (from 
> the anti-spam point of view) to let SMTP servers non-repudiably identify 
> themselves? If this is the goal, then it can be done with far less 
> overhead than TLS.

You miss the point. I didn't discuss the goal of TLS. 

What I wanted to say: That is a mechanism that already is 
implemented and widely spread. No need to install new software. 
And even that one is rarely used, because cryptography is still
to complicated for most mail admins. The very same problem 
will apply to the S/MIME approach once it is used outside a 
centralized organisation like the NZ gov. 

Secondly, the NZ S/MIME doesn't provide end-to-end security, only
relay-to-relay. The same effect can be achieved with TLS. TLS is
already available, but people simply don't use it.

> Digital signatures inserted by the *server* (not by the user, who should 
> not have to bother with the complexity of this) to identify *itself*, 
> using an  RFC 2440 infrastructure, may be more successful in making 
> individual SMTP servers identifiable and accountable for what they spew 
> onto the Internet. Consider this fragment:

Again, you will never get a working PGP infrastructure reliably 
covering the whole e-mail world.

Hadmut
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Proven solution for authenticating messages
  - From: Prasenjeet Dutta

References:
- [Asrg] Proven solution for authenticating messages
  - From: mike . pearson
- Re: [Asrg] Proven solution for authenticating messages
  - From: Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating messages
  - From: Prasenjeet Dutta

Prev by Date: Re: [Asrg] Re: RMX Records
Next by Date: [Asrg] Separate solution from implementation
Previous by thread: Re: [Asrg] Proven solution for authenticating messages
Next by thread: Re: [Asrg] Proven solution for authenticating messages
Index(es):
- Date
- Thread