On Mon, 5 Jun 2006, Douglas Otis wrote:
Actually, with the inclusion of the bh= header, the body can be checked
separately with DKIM. The just the hash of the body is signed.
Better then nothing at all but this is still rather limiting in
actually referencing entire body data. Current email system allows
to reference external mime parts and email servers add new mime parts
as well.
If somebody is interested I have whole bunch of notes on all this -
however considering what I've seen I do not see that internet community
(and more specifically email industry) would be willing to implement all
necessary extensions and I think new email protocol is better way to go to
really fix SMTP rather then several additional patches which are hard to
fit within current infrastructure.
If email becomes more reputation based, a call-back mechanism should
eliminate much of the risks associated with auto-executed malware.
It is not about malware - there are actually ways to get rid of it that
are fairly effective even now (most malware is easy to identify based
on common signatures).
The reality is that im2000 is generally alot better approach for email
infrastructure where you do not expect that every email would be
delivered.... The advantages are that it can offer:
1. More effective per-ip and per-domain filters which are similar
to current URI filters but here URL is that of data store.
SPF-like verification based on URL location starts to work
with no forwarding problems for multiple identities.
2. Zombies are no longer as effective as its necessary for such
systems to be able to receive incoming connections and not
only establish outgoing connections (as these systems must
also be accessible through DNS).
3. Integrated email tracking - sender knows if email has been
picked up or not (possibly done all the way to MUA as IM2000
wanted, but I consider it to be an option and not default) and
sender can also cancel non-picked up message.
4. Better multi-party delivery that is done on per-site basis
(this is related to current thread - on per-site common emails
to multiple recipients can have shared referenced body part(s)
and those can be retrieved by the site once and can be reused).
5. Email messages that have multiple alternative content (i.e.
both HTML and text) is less wasteful on bandwidth as end-user
can have setting that only certain types of content is to be
retrieved. Similar works for messages with content in multiple
languages (end-site may even communicate what language ise
prefers like its done in HTTP). Also if end-site has policies
that certain attachments are not allowed those attachments
need not be retrieved.
6. Other advanced security choices available once communication
between end-site and sender is possible...
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg