Philip Miller wrote:
[changed subject to reflect where this is going]
Hallam-Baker, Phillip wrote:
[snip history]
The application to spam is obvious and utterly anti-social. Best thing
that
can happen here is for the patent to kill this obnoxious and clueless
mechanism.
The problem with general C/R is that it's trying to achieve two separate
purposes. It's doing return-path verification, and it's doing
sentient-sender verification. Return-path verification is not inherently
anti-social, so long as it doesn't necessarily bother the original
sender (pick your own definition of 'bother'). Sentient-sender
verification is quite reasonably considered inherently anti-social by some.
Return-path verification definitely has some value, but we need to work
out a standardized way of doing it. We would never accept that a TCP
connection is valid after receiving only the SYN packet, so why should
we accept it for email?
Proposals like CRI could be used to provide end-to-end return-path
verification by automatically ACKing the challenge, assuming that it
only asks 'did you send something?', not 'did you, as a sentient being,
send something?'.
I'm not going to comment on the technical merits of sentient-sender
verification because it is inherently a social problem that we're not
tasked to deal with.
There is also concern with C/R about doing it inband such as via email
headers in CRI. Something out of band, such as a CRI ESMTP extension,
would be much more useful and less intrusive to users. Of course
dictionary attacks become easier with that unless some kind of a token
is send with the message initially.
Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"I ate your Web page. / Forgive me. It was juicy / And tart on my
tongue." (MIT's 404 Message)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg