ietf-mailsig
[Top] [All Lists]

Re: Anonymous signed mail

2004-08-18 16:58:01

Exactly.

[Below describing properties of the Identified Internet Mail proposal; don't 
know whether all of these properties are shared by the others that were 
presented]:

To state it a different way, what's important isn't who the sender is, but 
whether the sender is authorized to use that email address.  In a sense we're 
making the domain administrator responsible for messages sent by the domain, 
and trying to empower the administrator to regulate the domain.  Future 
accreditation/reputation systems will motivate the administrator to do that 
regulation.

To look at it another way, identity by itself isn't enough.  I could sign this 
message with my PGP key which shows my address as 
<fenton(_at_)cisco(_dot_)com>, but if that address wasn't valid any more, there 
is nothing that the domain can do about my use of that PGP key anyway.

This is good news for privacy advocates (we aren't changing the anonymity 
properties of email) as well as for specialized situations where anonymity is 
important (whistle-blower hotlines, for example).

-Jim

At 01:43 PM 8/18/2004 -0700, Dave Crocker wrote:

Atul,


By way of priming the discussion pump:


ASnc> I was going through the slides presented at IETF-60.  One of the goals
ASnc> listed there was: "Preserve Anonymity if requested by the sender"

ASnc> I had some questions regarding this:
ASnc>   * Won't allowing anonymous mails defeat the anti-spam quality of MASS?

I believe that spam control is about accountability and does not
automatically require directly identifying the agent that created or
posted the message.  Accountability can be quite indirect, as long as it
involves real substance.

By way of an extreme example, if a sender is required to post a US$1M
bond that is at risk if there are complaints against messages from that
sender, then we are not likely to care whether we can directly identify
the sender.  The assumption is that risking that much money will
dissuade rogue senders from doing nasty things that would prompt us to
make complaints.


ASnc>   * What does it mean to have a "signed" anonymous mail?

It means that a responsible agent is doing the signing.  Who that is is
a separate matter.


d/
--
Dave Crocker <dcrocker-at-brandenburg-dot-com>
Brandenburg InternetWorking <www.brandenburg.com>
Sunnyvale, CA  USA <tel:+1.408.246.8253>


<Prev in Thread] Current Thread [Next in Thread>