more on TRIPOLI

[Dave Farber <dave () farber net>]

Lauren did say it is a work in progress djf


------ Forwarded Message
From: Tom Goltz <tgoltz () QuietSoftware com>
Date: Sat, 10 May 2003 13:08:55 -0400
To: dave () farber net
Subject: Re: [IP] TRIPOLI -- An Empowered E-Mail Environment Putting E-Mail
Users in Control While Enhancing Security and Controlling Spam

At 08:02 AM 5/10/2003 -0400, you wrote:
> An Empowered E-Mail Environment
> Putting E-Mail Users in Control
> While Enhancing Security and Controlling Spam

...

> For Tripoli Pits to be useful resources for e-mail processing and handling,
> it is absolutely critical that they be certified by external, third-party
> certification entities. Without certification by trusted third-parties, such
> an authentication system would be useless since it could not be trusted to
> provide accurate and valid authentication data.

My biggest concern about this proposed enhancement to email is based on
practical experiences with the SSL certificates used to authenticate http
servers.  Although none of the protocol specifications specify or endorse a
particular Certificate Authority, the fact that only certain CA's are
included in the web browsers used by 95% of the users has created a
de-facto lock-in to a very small set of CA's.

Thanks to Verisign's purchase of Thawte Consulting, they now control over
90% of the usable CA's for SSL certificates.  As a reflection of that
control, annual signed SSL certificate prices have been steadily rising,
from around $100/year in 1998 to over $300/year today.  If you plan on
using SSL for more than your http server, a server-wide set of
Verisign-signed SSL certificates costs around $1,000/year.  Considering
that this amount represents over 60% of my total annual Internet server
operations budget, it should not be surprising that I and many other small
sites are electing to use self-signed SSL certificates, effectively
defeating the ability of SSL to provide authentication.

How do you plan on avoiding this problem for Tripoli PIT's?  If Microsoft
implements Tripoli in Outlook / Outlook Express, but the only PCA they
include belongs to Verisign, how are we going to avoid paying a hefty
annual "email tax" to this company?  While I can set my server to accept
unsigned PIT's, if I want to communicate with users of Microsoft's client
or server software who haven't modified the default settings, I will have
little choice but to pay.

 From a privacy standpoint, your proposal does not address the procedures
that will be used to verify the identity of an entity requesting a
PCA-signed PIT.  What information is required?  Is the PCA allowed or even
compelled to archive this information?  On what basis will this information
be made available to outside parties, either individual or
governmental?  How are we going to deal with stolen PIT's?

This is not a purely academic concern: The attitude in the courts appears
to be that the stronger the authentication of a message or transaction, the
greater the burden on someone to disprove they conducted the
transaction.  Compare the legal tradition surrounding credit card
transactions, which are effectively unauthenticated to that of ATM/debit
transaction that are authenticated by the use of a (supposedly
confidential) PIN.  As we begin to create authenticated email, we need to
carefully consider the legal ramifications and how this could have a
positive or negative impact on our daily lives.



Tom Goltz
(603) 594-9922


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/