On Wed, Dec 20, 2000 at 01:41:07AM -0800, Bill Stewart wrote:
A separate discussion over on coderpunks maybe helpful here.
From: John Gilmore
Bram - you can do encryption at the Mail Transfer Agent layer, like encrypting versions of SMTP, or in the mail header/body layer,
I'm not sure where to find the standards for encrypting SMTP, but there are some; look around on sendmail.com.
See RFC 2487, "SMTP Service Extension for Secure SMTP over TLS", which adds the "STARTTLS" command and HELO extension option to the SMTP specification. This permits two SMTP servers to negotiate to use TLS (also known as SSL) encryption before sending email.
Eric Rescorla's new book, "SSL and TLS: Designing and Building Secure Systems" includes two chapters which may be apropos - one which discusses securing SMTP with SSL (including the limitations of that approach), and one which discusses alternative means to reach a similar end, e.g., IPsec or object encryption (where encrypted messages are sent over insecure pipes). It's also generally a very helpful book, and includes a much more detailed discussion of the ephemeral DH modes than does the other contender, "SSL and TLS Essentials: Securing the Web" (also useful) by Stephen Thomas. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604