Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com> wrote:
Which brings us back to your original point - why do we want to
authenticate identity?
I would suggest that for most cases, we don't.
Identity of the incoming MTA or the sender by
itself will be meaningeless unless combined with some form of a
reputation system.
We don't need a repudiation system if we have a live verification system.
As for stopping forgery, since this operates only on the SMTP Session
level, it does not stop forgery of the mail content itself. Rather it
autheticates the SMTP transaction which lets the network administrators
complain to the originator. BUT, if the incoming IP is know, we know who
the admin is anyway, so what's the point to tie it in with a domain.
Are you sure we know wo the admin is? Some ISP's delegate IP's, and
then disclaim responsibility when their users abuse the net. Are we
to hold that ISP responsible?
My opinion would be to say "yes". Everyone who contributes to the
creation of a problem is partially responsible for it. The fewer
people who contribute to creating problems, the fewer problems.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg