On Thu, Mar 06, 2003 at 08:46:06AM -0500, Keith Moore wrote:
In US law (and let's do keep in mind that US law isn't axiomatically a valid
template for what should happen) there's a difference between what a speaker
is legally allowed to say without penalty, and what a speaker can be prevented
from saying (prior restraint).
Basically the same as over here.
- Email is one of the oldest network applications, and authentication was not
availble (and probably not feasible) when the protocols were designed. Nor
was it necessary at the time - the network was small enough (both in number of
users and number of machines) that it was relatively easy to track down
miscreants.
No. When e-mail was introduced in the early days, it was based on
UUCP. Every incoming mail had an automatically generated return path
(comparable to today's Received: header lines), but each single node
had to authenticate against each next node in the path. But walking
back that recorded path, you had a full authentication path back to
the origin of the message (except for flaws of password authentication
and the weakness of the nodes themselfes).
When e-mail was moved from UUCP to TCP/SMTP, that kind of
authentication got lost. That's what we suffer from.
All those folks who talk about design goals, common usage of e-mail,
e-mail must be open for everyone, anomous mailing completely ignore
the fact, that e-mail wasn't as open as today in the early
days. That's just a tale. Maybe people should inform a little bit
before claiming design goals.
There was a degeneration in authenticity, and today's people believe
this to be the normal case.
- By explicit design, and for good and valid reasons, domain names have
nothing to do with IP addresses. IP addresses are tied to network locations.
You missed the point. We are not talking about domain names, we are
talking about e-mail addresses, e-mail delivery, SMTP. And this has
very much to do with both domain names and IP addresses. So in context
of e-mail delivery, it seems reasonable to introduce a link.
- By explicit design, and for good and valid reasons, mail originators are
allowed to assert that they are sending a message "From" someone
else.
No. There haven't been "good and valid reasons". It's simply that they
haven't been aware of the security problem around 1980, and that they
couldn't do and need any better at that time. They never had any good
reason to drop the authenticity the had with UUCP. There has never
been an intention to allow arbitrary sender address spoofing.
Some of the burden inevitiably resides with the recipient. Spam is in the eye
of the beholder, it is different things to different people. It is dangerous
for others to presume, in the absence of some instruction from the recipient,
that the recipient doesn't want to see a particular message.
Sure. Bank robbery is also in the eye of the beholder. We shouldn't
generally allow methods against bank robbery. Who knows whether the
bank might like it or not? Just let it be the banks business how to
deal with it...
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg