ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: RMX Records

2003-03-04 21:31:08
From: "Derek J. Balling" <dredd(_at_)megacity(_dot_)org>

Or to get closer to home and recent headlines, for a Hotmail user to
use an AT&T return address.

I think it's perfectly fair, though, for $DOMAIN_HOLDER to be able to 
say "if it's coming from $HERE, we're willing to vouch that it's 
someone who at least has some moderate claim to be from $DOMAIN.

Think of it more as "designating" IPs as "belonging to this domain", or 
"vouching for them" rather than authorization.

If the "IP address here" refers to Hotmail's IP addresses in that
example, then there's no sense in worrying whether Hotmail has authorized
the Hotmail user to send the message.  If the "here" is some IP address
associated with the AT&T domain name that used by the Hotmail user as
a return address, then it is between nonsensical and impractical.

It will never be practical for Hotmail to ask AT&T "is my user who
I think is John Doe living at [refused] in [refused] USA authorized
to use jdoe(_at_)atworldnet(_dot_)att(_dot_)net?"

Even if John buys the premium Hotmail service and gives Microsoft
his credit card number as well as his address, date of birth,
mother's madian name, and his favorite pet's name, he would not want
Microsoft to send enough of that to AT&T to identify him to AT&T so
that AT&T could say "yes, he is authorzed use 
jdoe(_at_)atworldnet(_dot_)att(_dot_)net(_dot_)"

Yes, there are cryptographic protocols that in theory could resolve
that, but in practice they are unworkable for various reasons.
An important reason is that they require either an absolutely
intolerable central identity authority for all all of us, or they require
more shuffling of individual public keys than people can or will tolerate.

A more important reason is that it solves a minor problem.  Most
spammers use return addresses that they are authorized to use.  Only
a little spam uses envelope or header From addresses that can honestly
be called "forged."


Yes, and the trouble is that in practice that cannot be implemented
without the forcing users to use return addresses matching their
sending IP addresses.

Not at all. It requires them to use IP addresses which their 
domain-holder has vouched for.

Nothing would stop me from using my rr.com host to send megacity.org 
mail, so long as the admin of megacity.org was willing to say "if it's 
coming from $THERE, it's ok".

That handwaving and designing wishful thinking that cannot be made
concrete except in uninteresting special cases, no matter how often
it is repeated in news.admin.net-abuse.email.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>