From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org]
On
Behalf Of Mark Delany
Sent: Monday, March 03, 2003 11:38 AM
Lots of bitter pills. RMX only solves the forgery problem and
it potentially breaks:
C. sending off-domain #2 (the local user using a
non-controlled domain,
eg, I want to send email out from my ISP using my Yahoo address)
Let me point out that this boils down to "it solves the forgery
problem but breaks my ability to forge mail."
These are conflicting requirements. The question is whether the
latter (the ability to forge mail, i.e. send mail from one place
that claims to come from another) is a legitimate requirement,
independently of the fact that it's a commonly cited requirement.
Is or isn't it reasonable for a recipient (whether end user or
SMTP server) to refuse to accept email that claims to come from
one source if the system cannot authenticate that it really does?
Personally, I think not - there is no reason I should ever
accept mail that can't be authenticated.
Perhaps there is a two-fold solution: simple domain-based
authentication such as suggsted with RMX, and cryptographic
authentication for others. For example, if you really want to be
able to use your ISP to send email that appears to come from your
Yahoo account, then include a PKI certificate that authenticates
you as the owner of the Yahoo account. People who don't need
that ability need merely send mail from servers registered for
the domain of the purported mail sender.
Gary
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg