Instead of authenticating senders, what if we authenticated
sender-domains, leaving it to domains to authenticate senders (or not)?
Further, what if we pushed the signing part of the problem onto MTAs,
"originating MTAs" to be exact.
So Phillip Hallam-Baker's the story goes more like this:
0) On an on-going basis, Alice's domain maintains a certificate(s) for
e-mail authentication/integrity. Self-signed or not, doesn't
matter, registered in XKMS service for the domain.
1) To send mail, Alice uses SMTP to post the message to an
"originating MTA" blessed by her domain. (Of course, we'd all like
to see that domain use an authenticated variant of SMTP to verify
Alice's identity, but if you think about it, this is really a
policy issue that perhaps domains would prefer we left to them.)
2) This MTA receives the message, (perhaps checks that the message
meets certain of the domain's policies), signs it (S/MIME) using
(one of) the above-mentioned certificate(s).
3) If Bob (or his receiving MTA) care, they can check the message on
arrival.
Potential advantages of doing this at the domain rather sender level:
a) Many fewer certificates and thus potentially (much) more scalable.
b) No concerns about the adequacy of (sending) MUAs.
c) No concerns about (human) senders being confused, having to
learn, making mistakes, being apathetic, etc.
d) Because it's now easier for domains to take "ownership" of their
outgoing mail, there's a bit more fairness to white/blacklisting of
entire domains.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg