On Fri, 28 Dec 2001 09:09:30 -0500 Derek Broughton <dbroughton@???> wrote:
> Matthew Byng-Maddick wrote:
>
> > however. This technique of using STARTTLS doesn't ensure privacy, and
> > anyone who claims it does is, IMNSHO, being a complete and utter clueless
> > dork.
>
>
> Of course not, but what is possibly lost by using it?
the concern, i think, is that the naive will confuse SMTP over TLS with
real security, which it is not. SMTP over TLS cannot be real security
under any scenario, because it is not end-to-end from the viewpoint of
sender to receiver. it is only end to end from one MTA to the next MTA.
in my view, the authentication issue is a red herring when talking about
MTA-to-MTA transport via SMTP over TLS, because the authentication battle
has already been lost by the time the email reaches the first MTA.
real security in email is accomplished with PGP, GPG, S/MIME, or other
similar approaches, none of which really have anything to do with exim
other than the fact that exim is a good way to transport them.
richard
--
Richard Welty
rwelty@??? Averill Park Networking
rwelty@??? Unix, Linux, IP Network Engineering, Security
rwelty@??? 518-573-7592
