I want to dwell for a moment on an idea that several have articulated as
a potential part of an overall solution: use of SMTP over SSL.
As I understand things, the core idea to be leveraged is that of
SSL-client-auth: the SMTP client (which is also the SSL client) presents
certificate credentials (along with a proof of possession of the
certified key during the SSL connection dance) derived from some
authority mutually trusted by SMTP client and SMTP server, thereby
authenticating itself as being a particular sending domain, or perhaps a
particular individual or other identity.
If I'm getting that right, I have a couple questions:
1) Is it a particular sending DNS domain that ought to be certified, or
something else?
2) This seems to be more complicated (particularly getting the key
management right) if relaying is involved. For example, in a situation
where mail outbound from an organization relays (for any of a number of
legitimate reasons) through outsourced staging relays before hitting the
actual SMTP hop to the receiving organization, it would seem that some
administrative infrastructure is needed so that the that the relayer
could be correctly seen to be relaying on behalf of each of each of the
organizations it services. Do others agree with this implication?
'Just trying to understand people's thoughts clearly,
Bob
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg