Dave,
On Mon, May 05, 2003 at 12:16:11PM -0700, Dave Crocker wrote:
what does it mean to hold them responsible, when there are no global
rules to which a sender is held?
It means:
- to hold them responsible by the rules and laws of the country
the Spam comes from. Most Spam originates from the US. Many
countries have or develop laws against Spam.
- if the message comes from a country without rules, to
identify the country where the domain resides and to give
you that information to base your decision on
- to allow blacklisting domains or responsible persons mentioned
in the whois entry
However, it DOES mean that it is dangerous to claim that authentication
will be used as a basic technique, unless there is some reason to
believe that the technique will be successful now, in spite of not being
successful for 10 years.
That's nonsense. RMX is a completely different kind of authentication.
It doesn't require any special software or configuration on the MUA
side, and it doesn't require per person key generation.
The main reason is, that PGP and S/MIME didn't have any real
purpose for the masses, it was a complicated game which became
boring. They take a severe overhead of user interaction for every
single mail.
RMX solves a real problem people have 10-20 times a day. PGP and
S/MIME never did so. RMX doesn't require user interaction (once it is
installed).
the reference was to authenticated senders. pgp and s/mime authenticate
senders. rmx does not.
Exactly. That's what RMX is designed for. RMX is designed to not
handle user details, that's to be left in the domains private
business. RMX covers the domain part only to keep it smart and simple
and to avoid work for every single user. It's expense is O(1).
To be precise in security science, RMX is not even an authentication.
Actually, the authentication is done by TCP/IP, where TCP traffic
allows to sufficiently ensure that the peer IP address is reliable.
A higher level of security is not reasonable since mail delivery by
SMTP also is limited to the TCP/IP address check. So the sending
MTAs "name" is the IP address and the "authentication mechanism" is
TCP/IP. (I know, this is not a real good one, but it is sufficient for
this purpose.) RMX is the method to distribute the authorization
information through DNS. It tells you which IP addresses are
authorized to use the given domain as part of the sender address.
That's it. No sender authentication. Being cheap, simple, and robust
is the design goal. Not 2048-bit-security that nobody uses.
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg