Beyond this, I also think that C/R systems should be required
to provide full support for message-id, in-reply-to and references
headers. That is, the framework should state that challenges
and responses must (not should) provide a unique message-id
and must (not should) properly form in-reply-to and references
headers from prior e-mails in the chain. By implementing these
RFC2822 recommendations, C/R systems will give each other
valuable information to address both looping and spoofing
concerns.
I agree that we should have a references: header (just like the one in
NNTP). This would be useful for threading mail conversation threads among
other things. I have often wondered why current clients don't maintain
this header and utilize it when available. It would be so useful.
I think as has been mentioned previously in regards to CR systems in
general (and I don't remember if it was mentioned in the CRI case), that
what should happen is that the messages should be digitally signed by the
sender. The CR system would filter based in the digital signature rather
than the FROM address. Thus it would be quite possible for people to have
multiple clients with the same digital signature (one for each e-mail
address say) and they would only have to undergo the CR once -- even if
they switched ISPs. Furthermore, it would virtually eliminate spoofing
since even if someone were able to obtain a previous copy of someone's mail
and a list of all their friends, they still would be unable to spoof the
digital signature. When whitelisting occurred, it would whitelist a
particular person's signature rather than their e-mail address.
I'm not sure if the CRI framework provides for this or not as I have a hard
time keeping up with things (just as many in this list apparently do).
Is there a brief synopsis of the current state of the CRI framework so I
can refresh my memory on everything? (Which would be much better than
having to re-read all the CRI messages. ;-)
-Art
--
Art Pollard
http://www.lextek.com/
Suppliers of High Performance Text Retrieval Engines.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg