For the purposes of fighting spam the following configuration would be
sufficient:
1) Alice's client generates self signed cert
2) Alice's client uses DNS srv to discover XKMS service for email zone
3) Alice's client registers certificate with XKMS service
4) Alice sends email to Bob
5) Bob's client looks up policy of Alice's DNS zone, it is always
authenticate
using S/MIME, no root key specified, XKMS service specified.
6) Bob checks that message is signed correctly
7) Bob retrieves Alice's self signed cert via XKMS locate
Obviously you get additional value from a trusted third party, particularly
if you want to use the certs for more than spam control.
However it is a heck of a lot better than what we have now security wise for
email which is in almost all cases diddly squat.
Phill
-----Original Message-----
From: mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz
[mailto:mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz]
Sent: Tuesday, March 11, 2003 9:22 PM
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] You say tomato, I say authentication
IMHO, people on this list have different ideas of
authentication and where
to apply it. Therefore a lot of messages are speaking at
cross purpose.
What I want from authentication, S/MIME, is to know 100% that an email
address is the real email address of the sender. NOT the
identity of the
sender.
- I can then drop any message which is not authenticated (you
have the right
to message anonymously, but I should have the right to
decline to listen to
you)
- I will allow any message from my friends / business
partners' mail domains
straight through, and get on with my life
- I might allow messages from authenticated strangers in
trusted domains, to
see what you have to say, but if you abuse it,
then I can choose to filter them, or their entire domain.
As I said in my previous posting "[Asrg] Proven solution for
authenticating
messages" - you don't need authentication software at the
client end, move
it up to the ISP gateway and reduce the complexity of the
problem. (In New
Zealand, we don't have 1000's of ISPs, probably not even 100s).
Regards, Mike Pearson
Personal: The views expressed are not necessarily those of my
employer.
ph +64 (4) 495-6769 mobile +64 (21) 631-731
fax +64 (4) 495-6669
mailto:mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg