On Tue, 11 Mar 2003, Kee Hinckley wrote:
In the email space we have seen several types of authentication
discussed. I may have the details wrong here as I haven't had time
to do more than skim the domain proposals.
1. Domain
Determines that a user is allowed to send email from a domain. This
assumes that the domain itself has determined the user to be valid
(which may or may not be a valid assumption). This can be done
non-cryptographically (comparing the sending IP to a convention for
DNS lookup) or cryptographically (comparing a token in the
message/transport to something you lookup somewhere).
Can you make this clearer? Does "from a domain" mean "from a particular
connection address?" Does it involve any of the email addresses in the
message? Mechanically, will the receiver look up the domain from one of
the email addresses and get information from the owner of that domain
about eligibility of the IP address to originate mail? Or will the
receiver look up the IP address and get information about the allowed
email addresses?
It seems like either one constrains the spammer to some minimum level of
consistency, but doesn't place a significant obstacle in his path, unless
an IP address is not authorized to originate any mail at all. In that
important case, it will be effective. But aren't there simpler ways to
accomplish that? Why involve the email addresses at all? Couldn't the
authorization information be associated with the reverse DNS record for
the sending host?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg