[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] Re: 2. Uselessness of C/R

To: "Yakov Shafranovich" <research at solidmatrix.com>
Subject: RE: [Asrg] Re: 2. Uselessness of C/R
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Mon, 25 Sep 2006 14:34:12 -0700
Cc: ASRG <asrg at ietf.org>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Thread-index: Acbg2jYRxmpzTaswTiqjVPSWEWXh3AAD39Tg
Thread-topic: [Asrg] Re: 2. Uselessness of C/R

It is no longer true that tinkering with the Internet at the edges is easier than the middle. It has not been true for at least a decade.

It is utterly impractical to change the core Internet. Changing the edge is very very slow.

The only place where change is practical is the interface between the network and the Internetwork.

This means abandoning the myth that hosts connect to the Internet, they don't and they won't in future either.

If we are to have security we have to apply Butler Lampson's concept of a security reference monitor and realize that in the network  context this is a firewall or other edge security device.

We could change the S/MIME spec but that would eliminate the advantage of using S/MIME and create even more problems as legacy S/MIME clients misbehave when they see the new S/MIME. S/MIME does not cope with upgrades gracefully. Introducing a parallel spec is far more effective and simpler.

> -----Original Message-----
> From: Yakov Shafranovich [mailto:research at solidmatrix.com] 
> Sent: Wednesday, January 28, 2004 7:17 PM
> To: Hallam-Baker, Phillip
> Cc: ASRG
> Subject: Re: [Asrg] Re: 2. Uselessness of C/R
> 
> Hallam-Baker, Phillip wrote:
> >>While we are on the topic of S/MIME: currently majority of 
> MUAs have 
> >>S/MIME support built-in including root certificates. Why is that no 
> >>banks or financial companies that are suffering from "phishing" 
> >>attacks, consider signing their email via S/MIME?
> > 
> > 
> > I know several banks that are considering it. The 
> disadvantage is that there
> > are email users with MUAs that don't handle S/MIME. The big 
> problem is that
> > Eudora is effectively an orphan code-base with little 
> serious development
> > work.
> > 
> 
> Any ideas on what is the percentage of users that do not have 
> S/MIME? If 
> MSFT, Mozilla, etc. and the other MUAs cover a virtual 
> majority of the 
> market, and would cover a majority of users affected by the phishing 
> attacks, why aren't the banks deploying it? It would be 
> easier to tinker 
> with the edges of the network, rather than the center.
> 
> > There is a private working group looking at this. Yahoo! 
> Domain keys looks
> > like a better fit for what it is intended to achieve.
> > 
> 
> Wouldn't a profile of S/MIME that stores keys in DNS achieve 
> essentially 
> the same thing?
> 
> Yakov
> -------
> Yakov Shafranovich / asrg <at> shaftek.org
> SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
> "Power tends to corrupt, and absolute power corrupts 
> absolutely" (Lord 
> Acton)
> -------
> 
> 
> _______________________________________________
> Asrg mailing list
> Asrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
> 
> 
> 
> 
> 

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Prev by Date: Re: [Asrg] Re: A Technique for Universal Authentication
Next by Date: [Asrg] Fwd: NSF NeTS FIND Informational Meeting - December 7
Previous by thread: Re: [Asrg] Re: 2. Uselessness of C/R
Next by thread: [Asrg] 3b. SMTP Session Verification - Update on LMAP BOF
Index(es):
- Date
- Thread