To: asrg(_at_)ietf(_dot_)org
...
The other point is that authentication is only one half of access control.
The other half is authorization. You are not obligated to accept a message
just because it is signed or otherwise authenticated.
However a simple algorithm for choosing the parties I would whitelist would
be to take the F500 companies, the Internet 500 companies, the edu domains,
the major ISPs who implement rate filtering, etc.
All the rest of the mail would go through very tight filtering and I would
accept a very high level of false positives on the residual.
If someone really wants to contact me they can go to a hosted mail provider
that implements rate limiting and send a contact ping.
That's another way of saying that serious (e.g. crypto) authentication
has little to do with spam solutions. Little spam is forged from the
F500 etc., so you can get most of the effects of using serious
authentication by whitelisting those domains with (an equivalent of)
sendmail access_DB entries (i.e. toy authentication) and then requiring
contact pings and so forth. This avoids holding your correspondent's
hands while they figure out certs, CAs, PGP key rings, or whatever you
pick for authentication.
(Note that I said "relatively little spam is forged from the F500
etc.," but not "no spam".)
Of course, the trouble with this is that white-listing is not a
solution for spam except for people who don't have or need not have
a spam problem, because they do not want to receive mail from
strangers.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg