ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] CRI Header

2003-06-13 03:33:53
from [Yakov Shafranovich] [Permanent Link] 
At 10:50 PM 6/10/2003 -0400, waltdnes(_at_)waltdnes(_dot_)org wrote:


On Sun, Jun 08, 2003 at 10:47:00AM -0400, Eric Dean wrote
> I'm pretty sure that it's clear we should move forward with proposing
> a new RFC2822 header.  If a BOF wants to throw an X in front of
> it, then so be it.  I'll proceed br producing a draft with real
> 2822-type headers.
>
> However, if someone out there is interested, we could interoperate
> in the meantime using X or optional headers as well as with proposed
> 2822 headers

  Has any consideration been given to doing this at the SMTP stage
rather than as part of DATA: ?  E.g. an EHLO which tries to negotiate a
set of features, including CHRE:.  If the destination MTA says "Yes, I
do CHRE:", then do a "CHRE:" step just after the "RCPT:" step.
Advantages to this include...
We had been discussing this, especially considering that TitanKey's system is starting to move in that direction. We want to define the headers approach first, followed by MIME headers and ESMTP. We had also been considering using the ESMTP extension used for DSNs (RFCs 3461-3464) and the Message Tracking Protocol that is being developed by an IETF WG.
The consensus seems to be that SMTP approach is not right for everyone, the basic approach is using headers and MIME, with SMTP as an option for those who want it. 


  1) Spam runs from compromised home machines (Jeem.pv and Guzu) with
forged "From:" addresses don't mailbomb innocent 3rd parties if rejected
at SMTP time.
That was the advantage the Peter from TitanKey pointed out. His current system rejects email at SMTP level before the DATA command, and then sends a challenge. 


  2) Yes, I realize that the ISP's MTA will have to keep state
information regarding the luser's preferences.  However, it comes down
to either a) ISP's server doing it (maybe luser enters pre-emptive
             whitelist/blocklist via web interface), or
          b) luser administering it on his own MUA (Aunt Ethel or your
             parents, yeah sure)
Privacy issues are a big concern here. Keep in mind that in the USA, this information can be subpoened by many parties ranging from the RIAA seeking copyright pirates to the FBI via the FBIS. Some approaches here such as using checksums, one way functions, cryptography, etc. are needed. 


  3) Clients can change MUA's, restore backed-up drives, format and
re-install, access email via web interface or laptop or handheld, etc,
etc, without worrying about replicating/propagating a small distributed
database over several client MUA's and devices.  An XML structure to
download and upload settings would also be nice for synchronizing
multiple accounts at different ISPs.
We cannot mandate the changes to the whole world. As I mentioned, SMTP approach would be optional. 


  4) This would require changes in MTA rather than MUA.  The top 10 or
twenty ISP's on the planet probably have 100,000,000 customers. Questions
     a) is it going to be easier to implement changes at a couple of
        dozen locations (plus multiple redundant MTAs) or a hundred
        million locations (multiplied by the number of devices/MUA's the
        clients use to access their email) ?
     b) as per 2-b) do you expect Aunt Ethel to be competent to download
        and install updated MUA's ?  Hint, consider how many people use
        the default browser/mailer/newsreader that came with their OS.

  5) Doing C/R via embedded headers means having to accept the entire
email, because headers are part of DATA:.  This uses additional
bandwidth, even if the destination MTA issues a 550.

  6) Which is going to to impose more load on an MTA
     a) handling an extra stage in the SMTP negotiation
     b) accepting the entire email and parsing the entire body looking
        for C/R headers

  7) What about mailing lists (like this one for instance) that use
b0rken 2-bit defaults where hitting "r" to reply sends a reply not to
the list but to the individual sender ?  How difficult is it to insert a
"Reply-To:" header?  How are MUAs going to handle Envelope-From.  Don't
talk to me about "Return-Path:".  Many ISPs don't generate this on
incoming email, many MUAs don't use it, and your Aunt Ethel doesn't know
what it is, let alone the difference between "MAIL FROM:" and "From:".
All these issues are good points, thats why we are looking at an optional SMTP protocol. 
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Statistical Analysis shows SPF should work Pretty Well, Yakov Shafranovich
Next by Date:  Re: [Asrg] Statistical Analysis shows SPF should work Pretty Well, Yakov Shafranovich
Previous by Thread:  Re: [Asrg] CRI Header, waltdnes
Next by Thread:  Re: [Asrg] CRI Header, waltdnes
Indexes:  [Date] [Thread] [Top] [All Lists]