Re: Bruce Schneier on IPsec

[Michael Thomas <mat@cisco.com>]

Henry Spencer writes:
 > On Thu, 3 Feb 2000, Phil Karn wrote:
 > > Only a tool like PGP, run at the ultimate endpoints (i.e.,
 > > the users' mail agents), can provide true end-to-end email security.
 > 
 > If one is taking "end-to-end" in this strong a sense, then one should not
 > muddy the waters with references to POP etc.  Not even pre-MX SMTP
 > delivered this level of end-to-end-ness; delivery direct to your host
 > seldom, if ever, implied delivery direct to your mail agent.  (And for
 > that matter, even delivery direct to your mail agent still requires that
 > you trust the infrastructure it is running on, e.g. the memory protection
 > of the operating system.)

I hope that the implications here are not that
this is some sort of either/or situation. It may
be perfectly reasonable to use hop by hop IPsec to
secure transport, as well as using end to end PGP
for application layer privacy. They are two
different problems. 

For example, I'd like to thwart spammers from
creating spam lists by snooping at unencrypted
SMTP packets going by. This can easily be achieved
by using hop to hop IPSec. I suppose that PGP
could do that too, but there may be big benefits
of caching the results of public key operations
for key exchange in the form of SA's for well
traveled mail paths, and IPSec does this quite
nicely. The less well traveled paths devolve into
their non-cached counterpart which is probably a
wash.

SIP has an identical set of issues, FWIW.

			Mike

---

References:

• Re: Bruce Schneier on IPsec
• From: Phil Karn <karn@qualcomm.com>
• Re: Bruce Schneier on IPsec
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Bruce Schneier on IPsec
• Next by Date: Re: Commit Bit and SPI?
• Prev by thread: Re: Bruce Schneier on IPsec
• Next by thread: Re: Bruce Schneier on IPsec
• Index(es):
  • Main
  • Thread