Re Howard Roth's proposal for RFV's, etc....
I think this proposal is addressing a real opportunity in a bad way.
Basically, what it seems that what the author is looking for is a way
for a server to state whether or not it was, in fact, the sender of a
specific message. The approach used in the proposal is to generate
additional network traffic by having the recipient of a message query
the claimed sender as to whether or not it did actually send the
message.
If the goal is really to determine whether the stated sender
actually sent the message and if you're willing to write new
code/protocol in order to get such a statement, then the "correct" way
to do this is to have the originating server simply sign outgoing
messages. Recipients would then look in some well known place to find
the appropriate certificates with which to validate the signatures. (It
would be most convenient if the location of the certificate repository
for the domain and/or server were found by doing a lookup on a resource
in the domain's DNS record.)
Note: Such a mechanism would be very easy to implement, cheap to
operate, distributed, provides for gradual acceptance, etc.... But, for
some reason, people seem not to like signatures. I don't understand why.
bob wyman
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg