ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] SMTP over SSL

2003-04-01 19:55:22
from [Eric S. Imsand] [Permanent Link]
I am a big supporter of the SSL/certificate based certification for servers. I haven't kept up with the list for a copule of weeks though, so I might be missing a couple of points. But here goes with my two cents: 

Question 1:
The way that I had envisioned, individual servers would be issued certificates (SSL, some new standard, etc.). Those certificates basically were used to state that "This server will not broadcast spam". The issue of DNS, at least in my mind, should not come up. As long as the IP address of the sending machine matches the IP address on the certificate, and the certificate authority verifies it, should be okay. 

Question 2:
This seems to be an issue for the administrator of the outgoing SMTP server. It is up to him to make sure that only authorized persons can relay mail through it, and that those authorized people are not doing bad things (i.e. spamming). Failure to do so could cause his server's certificate to be revoked. If you are an ISP, this could be a very bad thing, indeed. 

Eric

Bob Atkinson wrote:


I want to dwell for a moment on an idea that several have articulated as
a potential part of an overall solution: use of SMTP over SSL.

As I understand things, the core idea to be leveraged is that of
SSL-client-auth: the SMTP client (which is also the SSL client) presents
certificate credentials (along with a proof of possession of the
certified key during the SSL connection dance) derived from some
authority mutually trusted by SMTP client and SMTP server, thereby
authenticating itself as being a particular sending domain, or perhaps a
particular individual or other identity.

If I'm getting that right, I have a couple questions:

1) Is it a particular sending DNS domain that ought to be certified, or
something else?

2) This seems to be more complicated (particularly getting the key
management right) if relaying is involved. For example, in a situation
where mail outbound from an organization relays (for any of a number of
legitimate reasons) through outsourced staging relays before hitting the
actual SMTP hop to the receiving organization, it would seem that some
administrative infrastructure is needed so that the that the relayer
could be correctly seen to be relaying on behalf of each of each of the
organizations it services. Do others agree with this implication?

'Just trying to understand people's thoughts clearly,

        Bob

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Rejecting Email, Vernon Schryver
Next by Date:  RE: [Asrg] SMTP over SSL, Hallam-Baker, Phillip
Previous by Thread:  [Asrg] SMTP over SSL, Bob Atkinson
Next by Thread:  RE: [Asrg] SMTP over SSL, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]