At 3:22 AM -0600 4/10/03, John Fenley wrote:
Administrator maintained public "choicelist"(functions as a
whitelist, and a blacklist) database:
Who administers this? And who can read it?
Database curator:
Again. What's the scope of this job? Per-ISP?
2. protect the security of the database against unauthorized changes.
How are changes authorized?
4. give id# of the list's entry to subscribers so they can recieve
the list, or use a system where they send the first message to
subscribe to the list.
These ID #'s are unique world-wide? Who guarantees that?
1. enter # given when you sign up for a list if your mail service
supports it, or send a subscribe message to the list.
Enter # (or list?) where?
1. allow user to enter id #s.
Into what?
When a new user joins the system:
1. They choose a user name, and a password.
2. they enter contact info, to prvent hijacking.
How does that prevent hijacking?
Fenley, Dagmar
1985 N 360 East
PROVO, UT 84604
#1 Each time your system recieves an email message the senders
address is checked against a whitelist.
Where is "your system" in this model. MTA, MUA?
If the name IS on the list deliver the message. end
If the name IS NOT on the list procede to #2.
#2 Check the choicelist database, and compare the numbers returned
against the users choicelist. If no number is returned go to #3 If
the number is in the users choicelist deliver the message. end
If the number is not in the users choicelist delete the message. end
More critically. You've described a complex whitelisting system
using unique numbers (not sure why, the email address is also unique,
and the mapping between the two appears to be public, although I'm
not certain from the description). What does that gain over just
whitelisting the address. And how does it do any more to prevent
forgery than just whitelisting the address?
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg