ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] You say tomato, I say authentication

2003-03-12 08:19:37
from [Hallam-Baker, Phillip] [Permanent Link] 
For the purposes of fighting spam the following configuration would be
sufficient:

1) Alice's client generates self signed cert
2) Alice's client uses DNS srv to discover XKMS service for email zone
3) Alice's client registers certificate with XKMS service

4) Alice sends email to Bob

5) Bob's client looks up policy of Alice's DNS zone, it is always
authenticate
        using S/MIME, no root key specified, XKMS service specified.
6) Bob checks that message is signed correctly
7) Bob retrieves Alice's self signed cert via XKMS locate


Obviously you get additional value from a trusted third party, particularly
if you want to use the certs for more than spam control.

However it is a heck of a lot better than what we have now security wise for
email which is in almost all cases diddly squat.

                Phill


-----Original Message-----
From: mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz 
[mailto:mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz]
Sent: Tuesday, March 11, 2003 9:22 PM
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] You say tomato, I say authentication


IMHO, people on this list have different ideas of 
authentication and where
to apply it.  Therefore a lot of messages are speaking at 
cross purpose.

What I want from authentication, S/MIME, is to know 100% that an email
address is the real email address of the sender.  NOT the 
identity of the
sender.


- I can then drop any message which is not authenticated (you 
have the right
to message anonymously, but I should have the right to 
decline to listen to
you)

- I will allow any message from my friends / business 
partners' mail domains
straight through, and get on with my life

- I might allow messages from authenticated strangers in 
trusted domains, to
see what you have to say, but if you abuse it, 
then I can choose to filter them, or their entire domain.


As I said in my previous posting "[Asrg] Proven solution for 
authenticating
messages" - you don't need authentication software at the 
client end, move
it up to the ISP gateway and reduce the complexity of the 
problem.  (In New
Zealand, we don't have 1000's of ISPs, probably not even 100s).



Regards, Mike Pearson

Personal: The views expressed are not necessarily those of my 
employer.

ph  +64 (4) 495-6769   mobile +64 (21) 631-731
fax +64 (4) 495-6669 
mailto:mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz 
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Anyone find this funny?, Kee Hinckley
Next by Date:  [Asrg] Cert-based Spam Fighting (rant), Justin B. Newman
Previous by Thread:  Re: [Asrg] You say tomato, I say authentication, Valdis . Kletnieks
Next by Thread:  [Asrg] Cert-based Spam Fighting (rant), Justin B. Newman
Indexes:  [Date] [Thread] [Top] [All Lists]