At 1:38 PM -0400 8/1/03, Yakov Shafranovich wrote:
"The protocol that has defined e-mail for more than two decades may
have a fatal flaw: It trusts you. Developed when the Internet was
used almost exclusively by academics, the Simple Mail Transfer
Protocol, or SMTP, assumes that you are who you say you are. SMTP
makes that assumption because it doesn't suspect that you're sending
a Trojan horse virus, that you're making
That's really not true. The fundamental problem has nothing to do
with SMTP and trust, it has to do with the lack of any way to
identify a person on-line. Given that we don't even have usable,
reliable ways to identify people *off*-line, that's not terribly
surprising.
You can envision two ways around it. One is a standard cryptographic
identification system backed by some central authorizing
organization. The other is a closed centralized mail system in which
it is impossible to send email unless the sender is provably the
person who would receive any replies.
Neither of those are going to happen, any more than we'll fix the
corresponding identification problems in the realspace.
The whole thing SMTP thing is a red herring. Because not only do you
have to solve the identity problem, you *also* would have to link
each identities to a physical personal or company, and be able to
recognize the commonality of all identities owned by that person.
Otherwise throw-away identities keep the problem alive.
And finally you'd need an enforcement mechanism to prevent abuse. It
does me no good to know the name of the person who is mail-bombing my
server if I can't stop him.
Given those issues, putting the blame on SMTP is pretty laughable.
The problem has nothing to do with technology, and everything to do
with society. That's not to say that technology can't alleviate the
problem. But "fixing" SMTP is not going to solve anything.
Technically the SMTP fix already exists, and has for years. The fact
that it isn't widely deployed makes it clear that the problem is
elsewhere.
As is alluded to here, but apparently not in a way that was strong
enough to nix the finger pointing at SMTP:
partially solved with existing technologies. "Authentication in SMTP
is not that hard," Paul Hoffman, director of the Internet Mail
Consortium and author of numerous computer-related books, wrote in
an e-mail interview. "There is already a protocol for doing it,
namely running SMTP over SSL/TLS. And, yes, I wrote it." (The SMTP
over SSL/TLS protocol is available at the Internet Engineering Task
Force's Web site.) The hard part, according to Hoffman and others,
is establishing the "trust relationships" required to back up any
computer-based authentication scheme--in other words, verifying that
a person is who he or she claims to be. The problem worsens, Hoffman
said, when trying
--
Kee Hinckley
http://www.messagefire.com/ Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg