ietf-asrg
[Top] [All Lists]

[Asrg] Re: 6. Proposals - C/R and CRI

2003-12-16 18:39:38
Philip Miller wrote:
[changed subject to reflect where this is going]

Hallam-Baker, Phillip wrote:

[snip history]

The application to spam is obvious and utterly anti-social. Best thing that
can happen here is for the patent to kill this obnoxious and clueless
mechanism.


The problem with general C/R is that it's trying to achieve two separate
purposes. It's doing return-path verification, and it's doing sentient-sender verification. Return-path verification is not inherently anti-social, so long as it doesn't necessarily bother the original sender (pick your own definition of 'bother'). Sentient-sender verification is quite reasonably considered inherently anti-social by some.

Return-path verification definitely has some value, but we need to work out a standardized way of doing it. We would never accept that a TCP connection is valid after receiving only the SYN packet, so why should we accept it for email? Proposals like CRI could be used to provide end-to-end return-path verification by automatically ACKing the challenge, assuming that it only asks 'did you send something?', not 'did you, as a sentient being, send something?'.

I'm not going to comment on the technical merits of sentient-sender verification because it is inherently a social problem that we're not tasked to deal with.


There is also concern with C/R about doing it inband such as via email headers in CRI. Something out of band, such as a CRI ESMTP extension, would be much more useful and less intrusive to users. Of course dictionary attacks become easier with that unless some kind of a token is send with the message initially.

Yakov

-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"I ate your Web page. / Forgive me. It was juicy / And tart on my tongue." (MIT's 404 Message)
-------


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>