Keith Moore wrote:
Being able to pin down the source to a "small enough" organization
or set of people might be enough, and achieving that might be much
easier than trying to authenticate every single possible individual
sender.
I don't think the size of the organization matters (if that is your point,
which I'm not sure about). There is certainly some scale involved here but
the core problem of identity within a domain has already been solved by
SMTP AUTH. If I could refuse mail from user(_at_)hotmail(_dot_)com unless it
came
from a server authorized to transfer mail on behalf of hotmail.com -- and
if hotmail.com enforced authentication (which they do, via the login page)
-- then I can be pretty sure that user(_at_)hotmail(_dot_)com really sent the
mail.
I don't know many people at cs.utk.edu so the likelihood of somebody from
that domain (assuming that they had privs to send mail through that
server) going to the trouble of forging mail from
moore(_at_)cs(_dot_)utk(_dot_)edu is
pretty unlikely, even if SMTP AUTH isn't used locally.
The problem here is with multi-hops and relays. Some sort of recursive
signatures will probably be required.
As for viruses, not much we can do to stop idiots from opening
attachments. Worms are somewhat constrained by this kind of system though,
since they will have to be sent from the local user, riding on top of the
local server and its authentication mechanisms.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/