Date: Wed, 24 Jan 2001 07:49:47 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <cjclark@alum.mit.edu> Cc: "'Arcady Genkin'" <antipode@thpoon.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <003101c0861d$47d3a480$1401a8c0@tedm.placo.com> In-Reply-To: <20010124000228.B10761@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark >Sent: Wednesday, January 24, 2001 12:02 AM >To: Ted Mittelstaedt >Cc: 'Arcady Genkin'; freebsd-questions@FreeBSD.ORG >Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure >authentication) > > >No one has proposed an inexpensive way to do good PKI. Thus, it will >cost money to do it. > my point. However, it doesen't mean that it can't be done. > >Because there is trust involved. If I said you could use my machine >for DNS, would you trust all of the results? That's one of the things >SSL takes into account, people hijacking DNS. If anyone can give out a >CA, why bother with CA's in the first place. Very loose authentication >is basically no authentication. In addition to having my DNS say that >another one of my machines www.americanexpress.com, I can just as >easily give out a cert verifying that I really am American >Express. Since I am ('cause everyone is) a valid CA, you'd believe >me. > Exactly the same situation exists with BGP4 routing on the Internet. To participate in BGP4, in essense the entire Internet must trust you to not screw them by injecting bad routing data into the Internet route tables. However, with all the feed contracts I've ever seen, the costs of handling BGP4 are simply part of the feed itself. There's a basic cost to setting up an IP stack to exchange packets with other IP stacks on the Internet, for most people it takes the form of a $20-per-month charge for access, for some it's other types of access. There's no reason that encryption/authentication cannot be part of that fee, the same way that the BGP4 routing service is part of the feed cost for ISP's. >> Of course, if encryption should ever become as common as >> the TCP/IP stack, there wouldn't be an industry of people >> sitting around figuring out ways to make it more complicated >> to use, or legally restricting it, or putting algorithims >> for it under restrictive licenses, etc. etc. > >Again, encryption is relatively easy. Authentication is hard. The problem is that most of the encryption people understand that if they can separate the encryption/authentication service from the basic IP connectivity service, they can get more money for it. It's not that it's hard to do, it's that there's a disturbing trend to unbundle services on the Internet to get more money for them. The situation with DNS is a perfect example. Early on, it didn't cost anything at all to name a system in DNS, then NSI came along and some bright boy got the idea they could charge money for it, and now you have the current mess with idiots paying millions of dollars for television.com. Yet, for all the extra money people are paying for domain names, all that cash hasn't improved DNS any, made it more secure, for example. All it's done is created a lot of jobs for people selling advertising. If the encryption people have their way then the PKI industry is going to end up the same way. >-- >Crist J. Clark cjclark@alum.mit.edu > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c0861d$47d3a480$1401a8c0>