|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Remote email access
On Tue, 04 Feb 2003 09:05:17 EST, Daniel Senie said: > This is, IMO, unworkable in the near term. While I support and promote the > use of TLS with SMTP (and POP), requiring client certs is likely too > cumbersome for users to manage at this stage. Using STARTTLS to transition > clients to an encrypted connection works exceptionally well. The server > does need a cert, but the users are identifying with a methodology they > understand, usernames and passwords. I've personally been advocating setting up Sendmail with a self-signed certificate and opportunistic STARTTLS. Yes, I know it's not immune to man-in-the-middle attacks - but it's *quite* sufficient to stop passive sniffing of userids/passwords/text. And it doesn't require much infrastructure. > The question this raises is whether you're concerned about MTA to MTA > communication, or MUA to MTA? I'd be happy to see certs in use for MTA-MTA > (and indeed support this today on my systems when talking to other MTAs > which are using STARTTLS). However, there are definitely reasons why this One of my hosts (a fair-sized Listserv server) sent out some 278K connections to other sites yesterday. Of the 3,453 domains it talked to, 123 were willing to do STARTTLS, for a deployment rate of 3.5%. Unfortunately, working across connections, only 0.53% used it. If the 10 busiest sites we talked to deployed STARTTLS, it would jump to some 27% of the traffic. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech Attachment:
pgp00000.pgp
|