IETF Logo Mail Archive

Re: [Asrg] Proven solution for authenticating messages

Hadmut Danisch <hadmut@danisch.de> Tue, 04 March 2003 09:40 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA10529 for <asrg-archive@odin.ietf.org>; Tue, 4 Mar 2003 04:40:32 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h249ouP20556 for asrg-archive@odin.ietf.org; Tue, 4 Mar 2003 04:50:56 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h249oup20553 for <asrg-web-archive@optimus.ietf.org>; Tue, 4 Mar 2003 04:50:56 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA10519; Tue, 4 Mar 2003 04:40:00 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h249o1p20484; Tue, 4 Mar 2003 04:50:01 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h249nEp20438 for <asrg@optimus.ietf.org>; Tue, 4 Mar 2003 04:49:14 -0500
Received: from sklave3.rackland.de (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA10440 for <asrg@ietf.org>; Tue, 4 Mar 2003 04:38:19 -0500 (EST)
Received: from sodom (uucp@localhost) by sklave3.rackland.de (8.12.8/8.12.8/Debian-1) with BSMTP id h249e94B009697; Tue, 4 Mar 2003 10:40:09 +0100
Received: (from hadmut@localhost) by sodom.home.danisch.de (8.12.6/8.12.6/Debian-8) id h249dNe6002303; Tue, 4 Mar 2003 10:39:23 +0100
From: Hadmut Danisch <hadmut@danisch.de>
To: Prasenjeet Dutta <bulk@chaoszone.org>
Cc: asrg@ietf.org, mike.pearson@ssc.govt.nz
Subject: Re: [Asrg] Proven solution for authenticating messages
Message-ID: <20030304093923.GB1965@danisch.de>
References: <7B170C5E4008D311ABB70008C7D3825B03BC340E@saison.ssc.govt.nz> <20030303213350.GA13559@danisch.de> <3E6453B9.2080905@chaoszone.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3E6453B9.2080905@chaoszone.org>
User-Agent: Mutt/1.4i
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 04 Mar 2003 10:39:23 +0100

On Tue, Mar 04, 2003 at 12:50:25PM +0530, Prasenjeet Dutta wrote:
> 
> It could also be because most PKI infrastructure is based on the X.509 
> model, which (though scalable) requires folk needing a certificate to 
> cough up cash to CAs like Verisign. Also, for secure personal 
> communication (as opposed to electronic commerce), PGP has been arguably 
> far more popular than S/MIME. Especially given its free, bottom-up 'web 
> of trust' model, PGP may well succeed where the top-down X.509 has
> not.

PGP (as we know it) will never do this job, since it lacks the
structure that X.509 has. PGP trust is based on a cloud of friends and
acquaintances, you will never get a working trust structure covering
the world wide email network.





> Again, what is the goal of using TLS for email? Securing the messages? 
> That opens up a new battle with the monitoring agencies. Or is it (from 
> the anti-spam point of view) to let SMTP servers non-repudiably identify 
> themselves? If this is the goal, then it can be done with far less 
> overhead than TLS.

You miss the point. I didn't discuss the goal of TLS. 

What I wanted to say: That is a mechanism that already is 
implemented and widely spread. No need to install new software. 
And even that one is rarely used, because cryptography is still
to complicated for most mail admins. The very same problem 
will apply to the S/MIME approach once it is used outside a 
centralized organisation like the NZ gov. 


Secondly, the NZ S/MIME doesn't provide end-to-end security, only
relay-to-relay. The same effect can be achieved with TLS. TLS is
already available, but people simply don't use it.



> Digital signatures inserted by the *server* (not by the user, who should 
> not have to bother with the complexity of this) to identify *itself*, 
> using an  RFC 2440 infrastructure, may be more successful in making 
> individual SMTP servers identifiable and accountable for what they spew 
> onto the Internet. Consider this fragment:



Again, you will never get a working PGP infrastructure reliably 
covering the whole e-mail world.

Hadmut
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email