ietf-mxcomp
[Top] [All Lists]

RE: User experience

2004-04-06 16:34:40

Regarding your caveat below, this is a good point.  However, there are
also lots of clients connected directly to their ISPs who do have such
access.  So if possible we shouldn't preclude verification from the MUA,
though I readily agree the MTA is the best place to do this.

In any case, my original point was simply that the end user needs to be
informed in cases where we validate something other than the From line.
I did not mean to imply that the MUA must perform the validation in
those cases.  

-----Original Message-----
From: Markus Stumpf [mailto:maex-lists-email-ietf-mxcomp(_at_)Space(_dot_)Net] 
Sent: Tuesday, April 06, 2004 11:54 AM
To: Harry Katz
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: Re: User experience

On Tue, Apr 06, 2004 at 10:26:28AM -0700, Harry Katz wrote:
1. Whenever possible, we must validate the domain used on the From 
line of the message, the RFC2822 From header to be precise. Because 
that's what the user sees.

Maybe I'm missing something here, but isn't that exactly what PGP and
S/MIME does? (ok, it validates the user, not only the domain)

We already have a mechanism that is perfectly capable to verify
2822.From, so why should we build another? Isn't it much easier so
simply push the distribution of this existing method (i.e. support in
MUAs) than to build a new system that probably is less efficient?

When signing messages one could make use of muliple keysigns, such that
a message is both signed by the key of a user and by a key for a domain
and the public key for that domain is e.g. stored in DNS.

May I also bring a caveat here: we should not use DNS based verification
with MUAs. Still (and probably also in the future) a lot of eMail
readers are behind firewalls and they read their mail on computers that
don't have a direct connection to the Internet and they cannot access
DNS from the MUA when reading their eMails.
Or they simply poll their eMails and read offline.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89)
32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89)
32356-299
"The security, stability and reliability of a computer system is
reciprocally  proportional to the amount of vacuity between the ears of
the admin"