Re: crypto questions - encrypted mail standards
A separate discussion over on coderpunks maybe helpful here.
To: Bill Stewart <bill.stewart@pobox.com> Cc: Bram Cohen <bram@gawth.com>, gnu@toad.com Subject: Re: encrypted mail standards Date: Tue, 19 Dec 2000 23:34:55 -0800 From: John Gilmore <gnu@toad.com>
Bram - you can do encryption at the Mail Transfer Agent layer, like encrypting versions of SMTP, or in the mail header/body layer,
I'm not sure where to find the standards for encrypting SMTP, but there are some; look around on sendmail.com.
See RFC 2487, "SMTP Service Extension for Secure SMTP over TLS", which adds the "STARTTLS" command and HELO extension option to the SMTP specification. This permits two SMTP servers to negotiate to use TLS (also known as SSL) encryption before sending email.
There are ways to run POP or IMAP using TLS/SSL as well, but I don't have the standards at my fingertips for this.
Also, John Gilmore may have funded some non-American developer to do an implementation.
Nope; sendmail.com did an implementation and released it once the export rules changed. It's in the current free sendmail release.
John
Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
On Wed, Dec 20, 2000 at 01:41:07AM -0800, Bill Stewart wrote:
A separate discussion over on coderpunks maybe helpful here.
From: John Gilmore <gnu@toad.com>
Bram - you can do encryption at the Mail Transfer Agent layer, like encrypting versions of SMTP, or in the mail header/body layer,
I'm not sure where to find the standards for encrypting SMTP, but there are some; look around on sendmail.com.
See RFC 2487, "SMTP Service Extension for Secure SMTP over TLS", which adds the "STARTTLS" command and HELO extension option to the SMTP specification. This permits two SMTP servers to negotiate to use TLS (also known as SSL) encryption before sending email.
Eric Rescorla's new book, "SSL and TLS: Designing and Building Secure Systems" includes two chapters which may be apropos - one which discusses securing SMTP with SSL (including the limitations of that approach), and one which discusses alternative means to reach a similar end, e.g., IPsec or object encryption (where encrypted messages are sent over insecure pipes). It's also generally a very helpful book, and includes a much more detailed discussion of the ephemeral DH modes than does the other contender, "SSL and TLS Essentials: Securing the Web" (also useful) by Stephen Thomas. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
participants (2)
-
Bill Stewart -
Greg Broiles