ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Authentication (no longer Re: [Asrg] My Opinion...)

2003-03-25 23:29:16
from [Vernon Schryver] [Permanent Link] 
From: Wes Peters <wpeters(_at_)stbernard(_dot_)com>



...
No, you don't.  All you need is a promise from the "sumitting" MTA (the 
MTA that speaks to the senders MUA) that it has used SOME form of 
authentication to verif the user is who he says he is.

This has been the crux of the problem all along, and one of the reasons 
why I am completely unsympathetic to the cries of the large ISPs that 
they are being inundated by spam.  The spam problem is caused by ISPs 
who allow mail to enter the network without sender authentication.  If 
all ISPs required sender authentication, we wouldn't have this problem.

So here's the simplified version: the submitting MTA "signs" the message 
in some way verifying that it can and will, at the very least, disable 
the end user account associated with the sender if that sender abuses 
the network.  This signature is verifiable and has an abuse coordinator 
associated with it.

The final MTA (the MTA that communicates with the recipients MUA) 
decides if the recipient will receive mail from the verified sender.  
...


That seems to be based on the common but quite mistaken notion that all
email involves "submitting" MTAs run by a few big ISPs.  In fact SMTP
is and should be a point to point protocol as much as the "file sharing"
protocols.  Many outfits run their own MTAs that talk to "submitting" MTAs.
Essentally all big outfits do this, as well as many smaller organizations
that don't trust the competence of the big ISPs.  Many long time IETF
and IRTF contributors as well as the IETF itself are in this boat.
All of us authenticate and authorize all of the mail our "submitting"
MTAs submit to our MTAs, whether it is spam or not.

All of this is irrelevant to the spam problem.  ISPs don't need to be
involved in signing or authenticating our mail to ensure we are not
sending spam.  Whether we buy raw IP bandwidth to run our own submitting
MTAs or we use the submitting MTAs of our ISPs, our ISPs know who we
are and could terminate our accounts if we send spam.  The problem is
that many ISPs can't be bothered or don't want to lose our business.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 5c. Message Status - Re: [Asrg] ASRG work items, Vernon Schryver
Next by Date:  Re: [Asrg] Certs required to send mail, Brad Templeton
Previous by Thread:  Re: Authentication (no longer Re: [Asrg] My Opinion...), Wes Peters
Next by Thread:  RE: [Asrg] My Opinion regarding ietf asrg session (it went badly! ), Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]