ietf-asrg
[Top] [All Lists]

Re: [Asrg] RE:ASGR 8a Use of certificates

2003-04-02 15:50:45


Vernon Schryver wrote:

From: "Tom Thomson" <tthomson(_at_)neosinteractive(_dot_)com>

...
SMTP-AUTH is specifically desgigned for a closed trusted environment (read the RFC - the words it uses are "within a trusted enclave") so it's not at all surprising that it hasn't been deployed to solve a problem in a wide-open uncontrolled environment. Do SUBMIT or SMTP-TLS have relevance to our issue any more than SMTP-AUTH does? I
think not!

I think that caveat about SMTP-AUTH is merely a statement of the fact
that talk about authenticating strangers is nonsense.  Authentication
is only half of authentication and authorization.  Does it make sense
to trust everyone outside your trusted enclave?--of course not!  You
cannot know whether a stranger, whether authenticated or not, sending
you mail is also sending copies to 50,000,000 of your closest friends.
Authentication is meaningless outside "a trusted enclave."


Although some MUAs have signature/checking capabilities, rather a lot have no such capability. Do any of the webmail systems have such capability? Even where an MUA has the capability, is it usable by the average user? Plainly and simply, the signature and checking capabilities of current MUAs are not designed to address our issue.

I think that is wrong, because I think most people use Netscape, Outlook,
or Outlook express.  I know Netscape has long handled cert-signed mail,
because I've tried it.  I've not tried Outlook (Express), but I've the
impression they also can do it.


Post Script: I suspect vernon will be very unhappy if the group ends up supporting approaches other than one particular one; but I'm not going to decry that particular one because it wasn't invented here, and I just wish he would show other members of this list that same courtesy. We are going to need to apply lots of partial solutions and not reject anything that is useful just because it will not solve more than 90% of the problem on day one.

Just for my own information, could you let me know which approach I
prefer?

I can't think of anything that might qualify as a solution to spam
except what I think is inevitable legislation that will tax or license
bulk mail.  That will not really solve the spam problem but only change
the spammers and limit the total spam in most mailboxes.  I do hope
that the DCC might help with spam after that legislation, but it does
not qualify as a solution now or then.
How will legislation help anything? As soon as you do that, all of the spammers will move to other countries, removing themselves from US/Canadian/British/Whoever's jurisdiction. In other words, unless everyone is prepared to cut off China and Russia from the rest of the Internet, legislation will not solve the problem.

Eric