ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] 0. General - News Article - Replacing SMTP

2003-08-01 10:41:04
from [Yakov Shafranovich] [Permanent Link]
I just ran across the following news article from CNET's News.com which raises some interesting issues regarding proposals to replace the SMTP protocol. It also discusses the ASRG in some detail. Here is the link: 

http://news.com.com/2102-1038_3-5058610.html
The articles raises some interesting issues regarding the basic debate over SMTP: to replace or not to replace. According to the current requirements draft and the technical considerations document, the ASRG is leaning towards solutions that do not impose a tremendous adoption burden on users, which would preclude replacing SMTP entirely now, but would definitely allow to such replacement long-term. 

Some quotes:
-----snip-----
"The protocol that has defined e-mail for more than two decades may have a fatal flaw: It trusts you. Developed when the Internet was used almost exclusively by academics, the Simple Mail Transfer Protocol, or SMTP, assumes that you are who you say you are. SMTP makes that assumption because it doesn't suspect that you're sending a Trojan horse virus, that you're making fraudulent pleas for money from the relations of deposed African dictators, or that you're hijacking somebody else's computer to send tens of millions of ads for herbal Viagra. In other words, SMTP trusts too much--and that has spam foes, security mavens and even an original architect of today's e-mail system agitating for an overhaul, if not an outright replacement, of the omnipresent protocol."
"While critics generally agree on what SMTP lacks, debate abounds on how to fix it. Some who worked on the protocol in its early days argue that it is flexible enough to have successfully evolved over the years--having absorbed numerous revisions and extensions--and that the authentication problem can be partially solved with existing technologies. "Authentication in SMTP is not that hard," Paul Hoffman, director of the Internet Mail Consortium and author of numerous computer-related books, wrote in an e-mail interview. "There is already a protocol for doing it, namely running SMTP over SSL/TLS. And, yes, I wrote it." (The SMTP over SSL/TLS protocol is available at the Internet Engineering Task Force's Web site.) The hard part, according to Hoffman and others, is establishing the "trust relationships" required to back up any computer-based authentication scheme--in other words, verifying that a person is who he or she claims to be. The problem worsens, Hoffman said, when trying to design a system that authenticates mail servers, rather than individuals. In part, this is because a third party would have to determine whether an e-mail server is responsible for sending spam. That kind of responsibility--voluntarily assumed by operators of various spam blacklists--could be onerous and expensive if applied to the Internet as a whole."Who is paying this third party for both the time and the legal risk in doing this?" Hoffman asked."
"Some say rewriting SMTP from the ground up would be prohibitively difficult because of the protocol's global user base, which is estimated to be in the hundreds of millions. "The difficulty of changing the transfer technology as a way of managing unsolicited bulk e-mail is the installed base," said Rodney Tillotson, the chair of the Anti-Spam Working Group for the Reseaux IP Europeens (RIPE), a consortium of European Internet service providers. "There are thousands or millions of SMTP servers transferring and delivering mail, and getting them all changed will take years, during which time the (unsolicited bulk e-mail) problem probably remains unsolved," Tillotson said. "Proposals requiring a change to desktop mail software are even harder to deploy." Sluizer counters this by suggesting two protocols--SMTP and a new one, with tighter authentication--could easily coexist, with e-mail applications supporting both side by side. In that way, people using one protocol would not be prevented from exchanging mail with those using another."
"The RIPE antispam group isn't alone in conducting an online debate about changing fundamental protocols to stem the tide of spam. The Internet Engineering Task Force (IETF) this spring established a research group to come up with ideas on how to attack the problem from the protocol level. But critics call the IETF's efforts belated and say that efforts to solve the spam crisis can't wait while a standards body deliberates. "Given that it's taken six-plus years for the IETF to get around to deciding spam is a big enough issue that they should charter a 'research group' to look at it, I just can't bring myself to be hopeful that we'll see the IETF ratifying any major overhauls to SMTP before the decade is out," Ray Everett-Church, chief privacy officer of the ePrivacy Group, said in an e-mail interview." -----snip----- 

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] 2.a.1 Analysis of Actual Spam Data - Titan Key reduces spam attacks, Tom Thomson
Next by Date:  Re: [Asrg] 0. General - News Article - Replacing SMTP, Kee Hinckley
Previous by Thread:  RE: [Asrg] 2.a.1 Analysis of Actual Spam Data - Titan Key reduces spam attacks, Peter Kay
Next by Thread:  Re: [Asrg] 0. General - News Article - Replacing SMTP, Kee Hinckley
Indexes:  [Date] [Thread] [Top] [All Lists]