On Tue, Mar 04, 2003 at 03:59:51PM -0700, Vernon Schryver wrote:
That is true only provided you still meet the design goals served by
the existing solutions.
Insecurity and forgeability have never ever been a design goal
of SMTP. That's a disadvantage, but not a design goal. It has also
never been a design goal of telnet to make plaintext passwords
available to eavesdroppers.
We cannot fix any security hole as long as we insist on still
fulfilling a so called "design goal" which states insecurity.
Keep in mind the SMTP as we know it was designed more than 20 years
ago (Jon Postels RFC 821 dates from August 1982). In 1982 and before,
there were almost no security considerations in context of internet
protocols, especially for e-mail. The security business developed in
the 90's. Plain SMTP is one of the last dinosaurs of the pre-security
era still alive.
Security didn't play any role in the design of SMTP. Even if it did,
after more than 20 years of progress in internet protocols and
security, such an age-old design goal would require some revision.
So that so called "design goal" is neither existing nor really relevant.
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg