koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to nixen
Re: STARTTLS anyone?
This is one of the most educational and thumbs-up-worthy posts I've seen on BBR in awhile (maybe I'm just not looking in the right places).
Incredibly useful, FO.
And likewise, I'm in the exact same boat you are. I too have the same qualms with coughing up large sums of money for SSL certs -- which would most definitely apply to Yahoo!'s new idea, albeit for a different technology -- and likewise have no desire to pay big bucks for CA-signed certs. I guess it depends on how much it costs.
Although nothing is going to stop a spammer from paying for a CA-signed cert. Even if it was US$1000, they'd pay it to continue to spam. You know how it goes... so really, what is Yahoo!s idea going to truly get us?
--
Making life hard for others since 1977. |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
 ·Cox HSI
 ·Speakeasy
| reply to justin
said by justin  :
with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes?
It would probably be possible to use the same key-propagation mechanism used in "standard" DNS signed zones. Of course, the only thing I've ever done even remotely close to that is setting up signature keyed remote zone updates. And, even if I did bother the secure my zone, unless the holders of .com were o set up a trust relation ship with me, my zone would only be locally secure. Given who holds .Com, I'm guessing the only way that's going to happen is if I buy SSL certificates for my DNS servers from Verisign (which sorta smacks of conflict of interest?).
And that's the real problem with this whole scheme: SSL certificates don't come cheap and only come through a few, select places. So, to fully secure email or to fully secure DNS, etc., someone like Verisign (ECH!) would be in a good position to make an awful lot more money than they already do just for secured web sites.
Unless GPG-style keyring servers were used, it's going to suck for small mail/DNS operators. It overall seems to be a way to eliminate use of personal mail servers and DNS servers, thus guaranteeing that every aspect of the Internet would become commercialized.
Is it necessarily a bad thing to be forced to rely on professional DNS and email services? It kind of depends on how good of a job you think they are or would likely do. I run my own DNS and SMTP servers because I have yet to find a provider that meets my needs for speed, flexibility and freedom from hassles like SPAM. My fear is, given a Yahoo scenario, I'd have to pay somebody to relay my emails.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| reply to justin
Depends on how it's done. I was considering it TXT record per zone which contained a MD5 or Base64 version of a public key.
After thinking about it for awhile, I really don't see what this is going to do for people. I mean, we already have certificates available to sendmail and qmail via STARTTLS; why do we need one per zone?
It's possible I'm misunderstanding how Yahoo! wants to implement it, but of course the details are still kinda sketchy at this point.
--
Making life hard for others since 1977. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to koitsu
with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes? |
|
