ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: A Technique for Universal Authentication

2006-09-01 19:58:57
from [John Levine] [Permanent Link] 
Your argument is not unique to my proposal but it is directed against
all bounces, vacation messages, etc.


Right.  You don't want to send a response unless you know a message
isn't spam, but if you already know it's not spam, there isn't much
point in sending a C/R challenge, is there?

Incidentally, it occurs to me that S/MIME addresses the introduction
problem at least as well as your hack.  Remember that S/MIME uses
hierarchical signed certificates just like SSL, and MUAs typically
have a list of well-known S/MIME signers just like the list of well
known SSL signers, more often than not the same list.  All of the
signers make some desultory effort to ensure that that they only sign
certs that belong to the address on the cert, typically by mailing out
a token that you need to use to claim your cert.

Anyone with a signed cert has jumped through a hoop at least as
difficult as responding to a C/R challenge.  If you whitelist all mail
with signed certs, and tell people to get an S/MIME cert if they want
to talk to you (they're free, after all), that solves the same
problems as your scheme, with added benefits of preventing snooping in
transit in the common case that the sender knows your cert, too.  And
it's already available in Outlook, Outlook Express, Eudora,
Thunderbird, and probably lots of other MUAs I haven't looked at.
What are you waiting for?



Existing methods such as BATV can easily protect mail systems from
this problem.  The Auto-Reply update to MUAs will block erroneous
bounces for almost the entire global email population.


You keep waving your hands and assuming that everyone will implement
your stuff.  I think BATV is swell, and I've been running it longer
than anyone else, but I am under no illusions about how slow its
uptake has been.  If I were king and could demand that everyone in the
world implement my favorite mail hacks, I would mandate a whole lot
more interesting stuff than some subaddresses and C/R challenges.

R's,
John


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: A Technique for Universal Authentication, Michael Kaplan
Next by Date:  [Asrg] more thoughts on SSP taxonomy, David Nicol
Previous by Thread:  Re: [Asrg] Re: A Technique for Universal Authentication, Michael Kaplan
Next by Thread:  Re: [Asrg] Re: A Technique for Universal Authentication, Michael Kaplan
Indexes:  [Date] [Thread] [Top] [All Lists]