Date: Wed, 24 Jan 2001 00:02:28 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: "'Arcady Genkin'" <antipode@thpoon.com>, freebsd-questions@FreeBSD.ORG Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <20010124000228.B10761@rfx-216-196-73-168.users.reflex> In-Reply-To: <001801c085c4$d2fc2cc0$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Tue, Jan 23, 2001 at 09:16:35PM -0800 References: <20010122223239.P10761@rfx-216-196-73-168.users.reflex> <001801c085c4$d2fc2cc0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 23, 2001 at 09:16:35PM -0800, Ted Mittelstaedt wrote:
> So far I haven't seen a single suggestion here that will
> do anything to increase usage of encryption on the Internet.
Well, the problem being discussed had more to do with authentication
than just encryption.
> You seem to be advocating an Internet where high encryption
> is a product that is an extra add-on to IP communications and
> should cost money, and we all should be paying fees to
> the CA industry. Obviously, normal economic forces will
> naturally limit it's deployment.
No one has proposed an inexpensive way to do good PKI. Thus, it will
cost money to do it.
> It's a lot like the
> governments attitude of let's keep the strong encryption
> away from the people if we can.
Again, encryption and authentication are different
problems. Encryption is easy compared to authentication.
> From my point of view, I
> don't see any reason why high encryption cannot
> be built into all TCP/IP communication and just come as part
> of the stack itself,
It is built into IPv6.
> and CA's be issued freely by any server.
> After all, you can use any DNS server on the Internet to
> look up names, and NTP services are free for the asking,
> why should encryption certificates be any different?
Because there is trust involved. If I said you could use my machine
for DNS, would you trust all of the results? That's one of the things
SSL takes into account, people hijacking DNS. If anyone can give out a
CA, why bother with CA's in the first place. Very loose authentication
is basically no authentication. In addition to having my DNS say that
another one of my machines www.americanexpress.com, I can just as
easily give out a cert verifying that I really am American
Express. Since I am ('cause everyone is) a valid CA, you'd believe
me.
> Of course, if encryption should ever become as common as
> the TCP/IP stack, there wouldn't be an industry of people
> sitting around figuring out ways to make it more complicated
> to use, or legally restricting it, or putting algorithims
> for it under restrictive licenses, etc. etc.
Again, encryption is relatively easy. Authentication is hard.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010124000228.B10761>