From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
...
6 Opt-in verification to prove its me when my original request
had a digital signature and cert.
That's mistaken. Signatures and certs may prove (for various notions
of "prove"; recall the Microsoft cert saga) that you are you, but they
do not necessarily bind you to any particular RFC 2821 mailbox. Your
cert may authenticate you, but it does not by itself authorize you to
subscribe a mailbox to a mailing list. Outside Redmond and its
colonies, authentication differs from authorization.
DNS Linked PKI addresses that problem, the owner of the DNS zone
can specify what certificates they consider to be valid for the zone.
As for the authorization thing, it is exactly the same as with existing
mail opt-in, if you can read mail to the account you can subscribe it
to a mailing list.
...
Then why did you mention "digital signature and cert"? Certs, DNS
linked PKI, owners of DNS zones and so forth are all fine and dandy
when you need them but why do you need them to authorize a stream of
mail from a mailing list to a mailbox? They're irrelevant to
authorization based on replying to a confirmation request recieved by
the subscribing mailbox. The only relevance I can see of any sort of
crypto in the subscription process is confidentiality using STMP-TLS,
PGP, SMIME or the like on the mail stream, but that's is not particular
to the subscription process.
I'd also like to see encryption used far more often, but I don't
pump for it when it's irrelevant.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg