From: Lutz Jaenicke <[EMAIL PROTECTED]>
Subject: Re: secure pop3/smtp how? - problem broken down
Date: Mon, 18 Dec 2000 09:58:21 +0100
> I explicitly meant what I said.
that's what i thought ;-)
i think that saying:
"Modern email software supports using SSL/TLS encrypted channels
without using SSH at all."
is misleading -- at least for clients.
is there a survey of all (or most) email clients somewhere we can
verify the correspondence between "modern" and "ssl/tls support"?
i've made an attempt at a small one for the purposes of looking at pgp
and pgp/mime support. one mirror is at:
http://rmarq.pair.com/pgp/mail-clients-pgp.html
do you know of one that covers ssl/tls? may be we (or someone else)
can start one based on the above table or modify the table above to
contain the info.
> I don't know about your user base, but my user base finally consists of
> people using Netscape and people using Outlook (Express), both of which
> do support SSL/TLS with SMTP in one way or the other.
> Like it or not (I don't like it), both MUAs together have a big market share.
> (I personally do use mutt, which doesn't support SMTP at all, but IMAP and
> POP are supported with TLS/SSL.)
> As far as I could find out, Eudora does not support SSL/TLS, www.kde.org
> seems to be down at the moment, so I cannot tell you about kmail.
for my user-base i discourage the use of netscape, outlook (all
flavors), and eudora because in my experience, none of them correctly
handle pgp/mime simulataneously w/ certain character encodings
(e.g. japanese). in addition, it is very difficult to get any of the
bugs we encouter fixed. [ there are other good reasons not to use
outlook of course ;-) ]
i ask my users to choose from clients that either have source
available or have very responsive developers. a few clients that have
fit the latter category in my experience are:
datula
edmax
becky!
as you may be able to tell from my headers, i use Mew which does have
source available.
afaik, none of these support ssl/tls, and i think it is not accurate
to say they are not "modern" soley because of that lack of support.
> I consider the fact that only around April the US export restrictions where
> changed, so that starting from then things have changed significantly. Also
> people are becoming more aware of security issues.
to verify how much they have changed, we should examine what clients
and servers do and do not support various features -- another relevant
issue is how many of each client and server are actually deployed and
in use (much harder to determine).
> Most servers (MTAs as well as POP/IMAP) by now support TLS/SSL,
> so people (customers?) have to impose pressure on MUA authors to
> support it, too.
if you can figure out how to have user feedback significantly affect
the course of development for clients which don't have source
available and don't have responsive developers, please let me know ;-)
on a more positive note, perhaps surveys comparing mail clients and
the features they have can aid in motivating such developers. it'd
also be nice for mail client and server authors to do open
interoperability testing. i don't see evidence of this anywhere. do
you?
