I submit that authentication is irrelevant unless you the use the output of
the process as the input to a filter.
Clearly you can reject mail that the authentication process flags as forged.
But not all email will be authenticated and some of the authenticated email
will be spam.
This does not disqualify authentication from consideration, it just means to
be realistic.
Equally I detect something of a damned if you do or don't attitude. I
personally beleive that there is a lot of potential in mechanisms such as
spf which offer less than cryptograpically secure authentication. I think we
also need to go further but there is no cost to the receiver to support both
and weight according to the actual spam reduction measured. Why argue over
an issue when there will be an empirical measure?
The pushback we get agaisnt spf 9r rmx is that it is spoofable and ownership
of a domain alone is not sufficient. Ok use certs.
The pushback we get against certs is that the above is unrealistic! The
process is too expensive etc. Sure it is a reasonable argment, but not if
you also claim that spf is insufficient.
I suspect that there is truth to both sides, spf will be sufficient short
term and limited domain but hey it is free. So are certificates if people
are right and it turns out we do not need them.
I suggest that if the architectural approach is broad enough there will be a
use for whatever is proposed. There is a general problem with binding dns
names to protocols in the reverse direction. Spam is only one symptom.
Phill
-----Original Message-----
From: Brad Knowles
Sent: Wed Oct 29 05:11:13 2003
To: David Maxwell
Cc: Jonathan A. Zdziarski; Jon Kyme; ASRG
Subject: Re: 3. Requirements - Anonimity (was Re: FW: [Asrg] 0.
General)
At 3:20 PM -0500 2003/10/27, David Maxwell wrote:
In the case of Access controls, if someone has a tight consent
definition such as 'I accept mail from these four people', and if mail
senders are authenticated, then this recipient will _never_ get
something outside of that consent definition.
Depends on how you define "mail from these four people", and how
you prove beyond a shadow of a doubt that the message did actually
come from them. What about messages forwarded by them from other
people? Does the message have to originate uniquely from one of
these four people, or are they allowed to forward messages that they
themselves did not write?
I don't recall making any criticism of filters besides a) cpu intensive
and b) can't ever be perfect.
I submit that authentication methods can also be CPU intensive,
and usually also have a small percentage of failures, both false
negatives and false positives.
--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++)
R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg