W3C home > Mailing lists > Public > ietf-discuss@w3.org > November 2002

Re: Mandatory MIME security

From: Chris Newman <Chris.Newman@Sun.COM>
Date: Fri, 08 Nov 2002 12:50:14 -0800
To: Andrew Newton <anewton@ecotroph.net>
Cc: discuss@apps.ietf.org
Message-id: <2147483647.1036759814@nifty-jr.west.sun.com>

begin  quotation by Andrew Newton on 2002/11/8 12:35 -0500:
> Others that I know who have done informal surveys of "average" computer
> users also state that the complexity of client certificates is the reason
> for low adoption.  Personally, I don't think it is that big of an issue.
> My own informal survey of "average" computer users didn't even get that
> far:  they either didn't see a need or didn't feel they had a need.

They won't see the need until some site which stores user passwords in the 
clear is broken and the attackers start breaking into things like bank 
accounts using the principle that most users attempt to have the same 
username/password at every site.

The airline industry didn't see the need reinforced doors for pilots or a 
policy of active opposition to hijackers until after Sep 11.

> Pardon the ignorance, but is there a deployed hop-to-hop protocol using
> something like TLS?

If you count HTTPS with proxies, then yes.  Otherwise no.

But we do have most of the necessary pieces for SMTP specified and many of 
them implemented.  SMTP STARTTLS is widely implemented and works pretty 
well hop-to-hop.  SMTP AUTH provides a hop-to-hop authentication framework. 
The simplist path to a complete solution depends on the security 
requirements for the layered application, but we could get a deployable 
solution (meaning I could implement it and imagine non-tech friends using 
it) pretty quickly.

                - Chris
Received on Friday, 8 November 2002 18:09:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:08:17 UTC