- From: Chris Newman <Chris.Newman@Sun.COM>
- Date: Fri, 08 Nov 2002 12:50:14 -0800
- To: Andrew Newton <anewton@ecotroph.net>
- Cc: discuss@apps.ietf.org
begin quotation by Andrew Newton on 2002/11/8 12:35 -0500:
> Others that I know who have done informal surveys of "average" computer
> users also state that the complexity of client certificates is the reason
> for low adoption. Personally, I don't think it is that big of an issue.
> My own informal survey of "average" computer users didn't even get that
> far: they either didn't see a need or didn't feel they had a need.
They won't see the need until some site which stores user passwords in the
clear is broken and the attackers start breaking into things like bank
accounts using the principle that most users attempt to have the same
username/password at every site.
The airline industry didn't see the need reinforced doors for pilots or a
policy of active opposition to hijackers until after Sep 11.
> Pardon the ignorance, but is there a deployed hop-to-hop protocol using
> something like TLS?
If you count HTTPS with proxies, then yes. Otherwise no.
But we do have most of the necessary pieces for SMTP specified and many of
them implemented. SMTP STARTTLS is widely implemented and works pretty
well hop-to-hop. SMTP AUTH provides a hop-to-hop authentication framework.
The simplist path to a complete solution depends on the security
requirements for the layered application, but we could get a deployable
solution (meaning I could implement it and imagine non-tech friends using
it) pretty quickly.
- Chris
Received on Friday, 8 November 2002 18:09:36 UTC