On 13/05/04 00:02 -0700, Jeff Silverman wrote:
<snip>
One of my critics asked, rhetorically I think, why so many workers are
enthralled with sender authentication. I think the question is fair,
I have a slightly different viewpoint to this.
There are two main points to sender authentication:
1> It can increase the level of granularity of the consent level of the
recipient. Instead of saying "my MTA will accept mail from system foo", it
says "my MTA will accept mail from authenticated users bar and baz".
This tends to support a whitelisting approach.
1a) This limits the amount of "collateral damage" possible, even with ISP
smarthosts.
1b) It also reduces the burden on ISPs who now have to kick off spammers.
Instead they can ignore the spammers and let everyone else block only
those addresses.
While 1a is good, 1b is a significant disadvantage.
1a also has a small problem. What happens to the case where there is a
multirecipient message and one of the recipients wishes to accept the
mail, but one wishes to reject it? Since SMTP does not have per
recipient response codes, there is no way of communicating the consent
of a single recipient to a sender.
2> Since spam is a social problem, we have to use social mechanisms
against the spammers. With an authenticated sender, it is reasonable to
be able to point at the headers in a court of law and claim that the
sender is actually the spammer. This reduces the chance of being falsely
implicated in a lawsuit. With sender authentication, usable legal
measures can be pressed for.
You have implied the second, but missed the first.
<snip>
his files). E-mail is the only protocol I am aware of where the
ostensibly human receiver is connected to the server. In most
protocols, the ostensibly human receiver is connected to the client; and
there is a mechanism for authenticating clients. The mechanism might
And this just as often raises the question of stolen and broken
passwords. While strong AAA works very well as a deterrent in a
corporate environment, there is a different issue on the Internet, where
there are more parties involved.
recipient
( contract )
recipient's ISP [Problem with spam is here]
(no contract) <---- This is the crux of the issue.
sender's ISP [The fix is here]
( contract ) <---- enforcement solves issues (?)
sender.
Even with strong AAA, nothing will happen if the sender's ISP does not
terminate the spammers connectivity.
<snip>
Devdas Bhagat
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg