[Asrg] 0. General - News Article - Replacing SMTP
2003-08-01 10:41:04
I just ran across the following news article from CNET's News.com which
raises some interesting issues regarding proposals to replace the SMTP
protocol. It also discusses the ASRG in some detail. Here is the link:
http://news.com.com/2102-1038_3-5058610.html
The articles raises some interesting issues regarding the basic debate over
SMTP: to replace or not to replace. According to the current requirements
draft and the technical considerations document, the ASRG is leaning
towards solutions that do not impose a tremendous adoption burden on users,
which would preclude replacing SMTP entirely now, but would definitely
allow to such replacement long-term.
Some quotes:
-----snip-----
"The protocol that has defined e-mail for more than two decades may have a
fatal flaw: It trusts you. Developed when the Internet was used almost
exclusively by academics, the Simple Mail Transfer Protocol, or SMTP,
assumes that you are who you say you are. SMTP makes that assumption
because it doesn't suspect that you're sending a Trojan horse virus, that
you're making fraudulent pleas for money from the relations of deposed
African dictators, or that you're hijacking somebody else's computer to
send tens of millions of ads for herbal Viagra. In other words, SMTP trusts
too much--and that has spam foes, security mavens and even an original
architect of today's e-mail system agitating for an overhaul, if not an
outright replacement, of the omnipresent protocol."
"While critics generally agree on what SMTP lacks, debate abounds on how to
fix it. Some who worked on the protocol in its early days argue that it is
flexible enough to have successfully evolved over the years--having
absorbed numerous revisions and extensions--and that the authentication
problem can be partially solved with existing technologies. "Authentication
in SMTP is not that hard," Paul Hoffman, director of the Internet Mail
Consortium and author of numerous computer-related books, wrote in an
e-mail interview. "There is already a protocol for doing it, namely running
SMTP over SSL/TLS. And, yes, I wrote it." (The SMTP over SSL/TLS protocol
is available at the Internet Engineering Task Force's Web site.) The hard
part, according to Hoffman and others, is establishing the "trust
relationships" required to back up any computer-based authentication
scheme--in other words, verifying that a person is who he or she claims to
be. The problem worsens, Hoffman said, when trying to design a system that
authenticates mail servers, rather than individuals. In part, this is
because a third party would have to determine whether an e-mail server is
responsible for sending spam. That kind of responsibility--voluntarily
assumed by operators of various spam blacklists--could be onerous and
expensive if applied to the Internet as a whole."Who is paying this third
party for both the time and the legal risk in doing this?" Hoffman asked."
"Some say rewriting SMTP from the ground up would be prohibitively
difficult because of the protocol's global user base, which is estimated to
be in the hundreds of millions. "The difficulty of changing the transfer
technology as a way of managing unsolicited bulk e-mail is the installed
base," said Rodney Tillotson, the chair of the Anti-Spam Working Group for
the Reseaux IP Europeens (RIPE), a consortium of European Internet service
providers. "There are thousands or millions of SMTP servers transferring
and delivering mail, and getting them all changed will take years, during
which time the (unsolicited bulk e-mail) problem probably remains
unsolved," Tillotson said. "Proposals requiring a change to desktop mail
software are even harder to deploy." Sluizer counters this by suggesting
two protocols--SMTP and a new one, with tighter authentication--could
easily coexist, with e-mail applications supporting both side by side. In
that way, people using one protocol would not be prevented from exchanging
mail with those using another."
"The RIPE antispam group isn't alone in conducting an online debate about
changing fundamental protocols to stem the tide of spam. The Internet
Engineering Task Force (IETF) this spring established a research group to
come up with ideas on how to attack the problem from the protocol level.
But critics call the IETF's efforts belated and say that efforts to solve
the spam crisis can't wait while a standards body deliberates. "Given that
it's taken six-plus years for the IETF to get around to deciding spam is a
big enough issue that they should charter a 'research group' to look at it,
I just can't bring myself to be hopeful that we'll see the IETF ratifying
any major overhauls to SMTP before the decade is out," Ray Everett-Church,
chief privacy officer of the ePrivacy Group, said in an e-mail interview."
-----snip-----
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Asrg] 0. General - News Article - Replacing SMTP,
Yakov Shafranovich <=
|
|
|