None was big help at this point and
none (except
verisign, though presentation was still one-sided towards
S/MIME) tried to
see what else similar is available that may not be commercial
and may do
the same.
Actually if I had had a little more time it would probably have been rather
clearer that I was proposing a range of authentication options, starting
with the free ones albiet with certain possible counter-strategies.
S/MIME is clearly an authentication option and the most flexible for this
particular application (PGP is a close second but there is a conflict in
that the PGP security model is strictly endpoint based and hence does not
immediately map to a service MTA gateway deployment unless a validation
service like XKMS is interjected). However S/MIME is also the most expensive
to deploy - whether you issue your own certificates or pay a CA since you
need a cert for every end user which is expensive to manage, far more
expensive than an SSL cert.
The only "authentication" strategy I think is bogus is using the reverse
DNS. This will at best demonstrate that the address block the IP is in has
been legitimately allocated. This is actually a modest spam indicator, it is
certainly not foolproof and is certainly not an accept/deny criteria. Lots
of legitimate IP addresses do not have reverse DNS configured. There are
definitely instances where garbage creators (high volume spam senders) have
hijacked unallocated IP ranges and advertised routes for them.
The problem is that it is almost as easy for the garbage creator to hijack a
legit IP address range by advertising a false route. So all things being
equal I would rather not create incentives for garbage creators to move to
strategies that are far more destructive.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg