Date: Wed, 24 Jan 2001 07:49:47 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <cjclark@alum.mit.edu> Cc: "'Arcady Genkin'" <antipode@thpoon.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <003101c0861d$47d3a480$1401a8c0@tedm.placo.com> In-Reply-To: <20010124000228.B10761@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark
>Sent: Wednesday, January 24, 2001 12:02 AM
>To: Ted Mittelstaedt
>Cc: 'Arcady Genkin'; freebsd-questions@FreeBSD.ORG
>Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure
>authentication)
>
>
>No one has proposed an inexpensive way to do good PKI. Thus, it will
>cost money to do it.
>
my point. However, it doesen't mean that it can't be done.
>
>Because there is trust involved. If I said you could use my machine
>for DNS, would you trust all of the results? That's one of the things
>SSL takes into account, people hijacking DNS. If anyone can give out a
>CA, why bother with CA's in the first place. Very loose authentication
>is basically no authentication. In addition to having my DNS say that
>another one of my machines www.americanexpress.com, I can just as
>easily give out a cert verifying that I really am American
>Express. Since I am ('cause everyone is) a valid CA, you'd believe
>me.
>
Exactly the same situation exists with BGP4 routing on the Internet.
To participate in BGP4, in essense the entire Internet must trust you
to not screw them by injecting bad routing data into the Internet
route tables. However, with all the feed contracts I've ever seen, the
costs of handling BGP4 are simply part of the feed itself.
There's a basic cost to setting up an IP stack to exchange packets with
other IP stacks on the Internet, for most people it takes the form of
a $20-per-month charge for access, for some it's other types of access.
There's no reason that encryption/authentication cannot be part of that
fee, the same way that the BGP4 routing service is part of the feed cost
for ISP's.
>> Of course, if encryption should ever become as common as
>> the TCP/IP stack, there wouldn't be an industry of people
>> sitting around figuring out ways to make it more complicated
>> to use, or legally restricting it, or putting algorithims
>> for it under restrictive licenses, etc. etc.
>
>Again, encryption is relatively easy. Authentication is hard.
The problem is that most of the encryption people understand
that if they can separate the encryption/authentication service
from the basic IP connectivity service, they can get more money
for it. It's not that it's hard to do, it's that there's a
disturbing trend to unbundle services on the Internet to get more
money for them. The situation with DNS is a perfect example.
Early on, it didn't cost anything at all to name a system in DNS,
then NSI came along and some bright boy got the idea they could
charge money for it, and now you have the current mess with idiots
paying millions of dollars for television.com. Yet, for all the
extra money people are paying for domain names, all that cash hasn't
improved DNS any, made it more secure, for example. All it's done is
created a lot of jobs for people selling advertising. If the
encryption people have their way then the PKI industry is going to
end up the same way.
>--
>Crist J. Clark cjclark@alum.mit.edu
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c0861d$47d3a480$1401a8c0>