From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
...
The "Verisign mistake" happened because there aren't a lot of other things
that *could* have happened.
Yes, but that is only because the PKI notion was based on authenticating
strangers despite men-in-the-middle and all other attacks.
To deal with spam, a DNS TXT RR with a public key would be strong enough.
-To have a certified sender in the sense of a legal entity .
-Keep the privacy of the sender and reciever when necesary.
-Minimize the cost of entity certification.
...
Nice hand-waving. How do you ensure that the *REMOTE* end actually enforces
it?
Strangers can't be trusted to not be spammers. Authentication can at
most prove identity. Contrary to the Verisign PKI whitepapers, the
Microsoft ActiveX promises, and and standard authentication spam defense
claims, authentication says nothing about authorization.
my users, you can give me the cookie and I'll hopefully know who to call
in and beat the snot out of them (which was the *original* purpose of
RFC1413 IDENT, incidentally).
No, my recollection of the original, announced purpose of IDENT/TAP
was to prove that the other guy was not a nasty bad guy. It was only
well into the TAP/IDENT nastiness that silliness was stomped out.
I remember arguing for what seemed like eons with people that the
IDENT/TAP token was useless for proving virtue.
Of course, a spamhaus already knows who's using their server, and has no
need of running SMTP AUTH to verify that they themselves are the ones
sending the mail....
Yes, authentication is not authorization. We will always need white-
or blacklists, which are nothing more than authorization mechanisms
go to with authentication mechanisms.
These key/token/signing schemes can only address the sender information
that has been "forged" in the sense of willful misrepresentation of identity.
(I'm sorry Paul, but stopping the thread does not resolve the issue.)
1) There exists a PKI. In this case, the sender just uses S/MIME or PGP
or whatever, and all the intermediaries need do *NOTHING*. This message is
PGP signed - if you want you can validate it via the PGP web-of-trust....
If there is a PKI, you've still got nothing. Spammers can and must
be allowed to buy certs too. Authentication is not authorization.
Remember that PGP mantra that the web-of-trust only proves a key
is good and does imply anything about the virtue of the key owner.
2) There isn't a PKI. If so, then everybody is basically just using
self-signed
certificates, which prove approximately nothing...
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg