ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: RMX evaluation

2003-05-09 09:13:35
from [John Fenley] [Permanent Link] 
Here is the problem as I see it:

1.   Anybody can send forged mail.
2.   Recipients need a way of verifying identity.
3. any method of identity verification requires at least 1 out of band transfer of information. 4. Various methods proposed have tried to use existing systems to facilitate this transfer. 
5.   Existing systems were not designed with authentication in mind.

The solution I see:
We should develop a standard way of facilitating any out of band transfer, with authentication in mind. 

John Fenley
Here is something I just thought of. Sorry if anyone feels i'm treating this list like a think tank, cause that's kind of how I see it. 
=========================================
InformationChallenge/AutoResponse:
Sender side method that allows authentication.
When A message is sent, a trigger indicating IC/AR compliance is sent as well. Possibly placed in the header. When a message in IC/AR format is recieved, they are responded to automatically with information the recipient has chosen. 

These IC/AR requests could be of the format:
Subject: IC/AR:(sender picks random #)

Then responded by:
Subject: IC/AR Reply:(same random number back)
==body==
PgP Signature: <xxxxxxxxx>
other Signature: <xxxxxxxxx>
Valid Ip addresses: <xxx.xxx.xxx.xxx>, <xxx.xxx.xxx.xxx>,
Some future info: <XX&XXX.AAZZXX>
I think this would allow some sender authentication for people who want it, without messing with existing systems. 

It assumes 3 things:
1. if you can recieve mail to an address you have the right to make some decisions about it. 2. The chance of somebody spoofing both a from address and a random number you choose, to trick you into recieving false info, is small. 3. the bandwidth, and processing done would not place too much extra burden on either senders or recipients. 
4. This would not interfere with anyone not using the system.
==========================================

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail 

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Asrg] Re: RMX evaluation, John Fenley <=
Previous by Date:  Re: [Asrg] How many legitimate SMTP servers?, Alan DeKok
Next by Date:  Re: Fwd: [Asrg] How many legitimate SMTP servers?, Scott Nelson
Previous by Thread:  [Asrg] Spam spoofing - data point, Kee Hinckley
Next by Thread:  Re: [Asrg] Washington Post: Earthlink to Deploy a Challenge-Response System for, John Fenley
Indexes:  [Date] [Thread] [Top] [All Lists]