Re: Crypto-sendmail (was Crypto Coding Project)

EKR (ekr@terisa.com)
19 Aug 1998 08:02:05 -0700

• Next message: Greg Rose: "Re: PERL person found"
• Previous message: Perry E. Metzger: "Re: Crypto-sendmail (was Crypto Coding Project)"
• In reply to: Trei, Peter: "Crypto-sendmail (was Crypto Coding Project)"
• Next in thread: Adam Shostack: "Re: Crypto-sendmail (was Crypto Coding Project)"
• Reply: Adam Shostack: "Re: Crypto-sendmail (was Crypto Coding Project)"

Adam Shostack <adam@weathership.homeport.org> writes:

> Would it be more useful to build a reasonably generic 'crypto tunnel'
> than a sendmail extention? Would it be substantially harder?
How would a generic crypto tunnel differ from SSLeay?

Peter's proposed behavior is straightforward to achieve with
SSLeay right now. I don't know if SSLeay contains support
for the anonymous DH cipherSuites (Eric?), but it certainly
contains support for DSA authenticated ephemeral DH, so in the
worst case you can just use random self-signed certificates.

> The first hurdle is to bind into the connect() in some useful way
> on the outbound connection. On the inbound, a wrapper program (think
> tcpd) can probably be used.
I doubt this will be an acceptable long-term solution,
on heavily loaded mail servers because the performance costs
of the fork() are excessive.

Moreover, there is already an internet-draft describing how
to do this with SSL: draft-hoffman-smtp-ssl-07.txt.

-Ekr

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

• Next message: Greg Rose: "Re: PERL person found"
• Previous message: Perry E. Metzger: "Re: Crypto-sendmail (was Crypto Coding Project)"
• In reply to: Trei, Peter: "Crypto-sendmail (was Crypto Coding Project)"
• Next in thread: Adam Shostack: "Re: Crypto-sendmail (was Crypto Coding Project)"
• Reply: Adam Shostack: "Re: Crypto-sendmail (was Crypto Coding Project)"