Vernon Schryver wrote:
Ok, but why do you care about servers instead of persons?
Because that was the focus of the message to which I was
responding! The base proposal was for a system that involved
recipient's mail servers exchanging messages with a sender's
servers in order to verify which server had sent the message.
I was pointing out that this sort of bandwidth heavy exchange
can be eliminated by using signatures instead.
It sounds as if you are making the familiar assumption that
every legitimate sender transmits only via a small number
of SMTP clients.
I make no such assumption. Also, such an assumption would
be irrelevant to this discussion since we're only talking
about verifying servers -- not clients.
why is it any harder for a spammer to get a signed,
throw-away domain name than to get a throw-away personal
or other certificate?
Why should it be hard? As far as I can see, there are only
two useful reasons to verifying the identity of a sending
server: First, so that you can build white/black lists and
Second, so that you can detect false statements in mail
headers. Of the two, the first is clearly the most important.
Both of these two benefits arise from verification whether it
is cheap or expensive.
bob wyman
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg