At 12:39 AM -0800 3/5/03, Raymie Stata wrote:
Another dimension of the design space is the use of cryptographic
signatures versus DNS-mappings to authenticate domains and/or MTAs.
Rather than debate this issue in the context of specific proposals, it
may be worthwhile debating it at a more abstract level.
I personally favor cryptographic approaches:
I've just joined, and I did skim the archives first, but I may have
missed this. What exactly is meant by DNS-mapping? Only allowing
outbound mail with a given from domain from within that domain? I
think that's clearly unworkable given how many people send mail
"from" their primary address while using a secondary. (A situation
aggravated by port 25 blocking and, more recently, port 25 hijacking,
where the connection is transparently routed to the ISP's server.)
Would you see cryptographic domain verification as being something
where (for example) the sending client or initial MTA would verify
the from domain by using some embedded cryptographic information in
the message and comparing it to information retrieved from the domain
server for that domain?
Note that not all spammers use fake domains. We ran into one who was
generating new domain names every week and using those. We were
finally able to spot his spam reliably from the headers, but he
didn't fail any domain forgery tests.
One issue with verification techniques (and this comes from someone
who normally signs all of his email--just waiting for the PGP Eudora
plugin to come back), is that the next consequence will be trojans
and viruses that steal the keys. Any system in this space should
have a very simple mechanism for canceling and reissuing keys. Poor
ease of use has always been a major factor in keeping signed email
from wide deployment. (As attested by my previous comment about the
Eudora plugin :-).
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg