Question 1:
The way that I had envisioned, individual servers would be issued
certificates (SSL, some new standard, etc.). Those certificates
basically were used to state that "This server will not
broadcast spam".
No try, "The owner of this server has undertaken not to spam and
if they do not you can serve papers at this address"
The issue of DNS, at least in my mind, should not come up.
You need to know that the owner of the domain has a policy of
using SSL.
As long as
the IP address of the sending machine matches the IP address on the
certificate, and the certificate authority verifies it,
should be okay.
IP address can be included in certs, however DNS name is better.
The problem with IP address is that they tend to be variable,
in many data centers the mail server is behind a NAT in any case
and nothing the IETF says on this point is going to be taken
notice of (and given previous statements, quite rightly)
Another problem is that in the really big data centers the
machine can be on multiple IP addresses and they can change
over time. We have separate feeds from at least two ISPs
into each of our datacenters. You want to minimize the number
of dependencies if you switch.
Question 2:
This seems to be an issue for the administrator of the
outgoing SMTP
server. It is up to him to make sure that only authorized
persons can
relay mail through it, and that those authorized people are not doing
bad things (i.e. spamming). Failure to do so could cause his
server's
certificate to be revoked. If you are an ISP, this could be
a very bad
thing, indeed.
There can be a range of policies with this regard, all of which
are essentially don't spam but indicate the specific actions they
undertake not to do. A corporation can probably be much more
specific here than an ISP could since they have much more
control over their users.
It need not be one size fits all.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg