What email encryption is actually in use?
Steven M. Bellovin
smb at research.att.com
Wed Oct 2 14:56:39 EDT 2002
In message <20021002181118.GG5461 at ralph.worldwinner.com>, John Saylor writes:
>Hi
>
>( 02.10.02 12:50 -0500 ) Jeremey Barrett:
>> but it's always better to encrypt than not, even if no additional
>> trust is gained.
>
>While I generally am on board with this, I can see a situation where the
>encryption overhead [and complexity] may be excessive [underpowered mail
>servers administered by beginners] compared to the gains.
>
The primary use of STARTLS for SMTP is for mail *submission*, not
relaying. That is, when clients (like Eudora) generate mail, they
submit it to an ISP or organizational SMTP server. If this server is
accessible from the Internet, it should require some sort of
authentication, to avoid becoming an open spam relay. This is
sometimes done by a password over a TLS-protected session.
In other words, this isn't opportunistic encryption, and doesn't run
into the problem of "random smtp server has a self-signed cert". The
client should be configured to know what cert to expect.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list