On Wed, 2004-04-28 at 18:53, Neil Brown wrote:
<snip>
The over-all goal seems to be:
A - reduce junk e-mail
<snip>
No system can reliably exclude mail by category. Offering mechanisms to
assist in excluding servers known for unacceptable policies would be a
goal in immediate needed to protect current infrastructures.
B - add authentication to e-mail
<snip>
There are already methods of authenticating mail end-to-end that best
scales at the MUA. Strong cryptographic signatures are of lesser value
if not coupled with the message body. Per-message cryptographic
overhead at the MTA works against principles of scale. There can be an
infinite number of users created at zero cost for the sender but then
creating a sizable cost for the receiver if adding per user
cryptography.
A system that validates allowable 'from' domains using DNS where
representations within this domain are traceable within system logs
offers significant relief from false representation. Domains handling
valuable information should employ security measures to protect users
within their domain from spoofing as users within the same domain. For
information of a critical nature, secure means of exchanging information
goes well beyond expectations of a general mail system.
C - Specify how policy information can be stored in the DNS which
allows the potential recipient of an Email to assess the
authenticity of part or all of a mail message.
A general goal of being able to detect spoofed source domains with DNS
information narrows the focus. This statement seems overly broad.
<snip>
D-1 - Where can I safely (i.e. without annoying an innocent party)
send an automatic response to this message.
Domain validation offers relief for the most part. Policies within the
domain can guard against domain level user spoofing. Marking domains as
being the exclusive source (never forwarded or sent via relay) may allow
safe 'from' rejections prior to practices of rewriting envelopes being
in place.
D-2 - Which individual or agent chose to send this item to these
recipients.
Individual identification remains within the realm of the domain.
Placing a protocol within DNS tables for the source domain does not need
to be part of the mail system but can be expected to work in conjunction
with the MUA.
Working goals could be as follows:
1: Define DNS records that identify outbound MTA servers.
2: Define DNS records to identify 'from' domain transport.
3: Describe a phase-in transition to reliance on MTA/DNS validation.
4: Describe a phase-in transition to reliance on 'from'/DNS validation.
5: Describe added services such as accreditation domains to be supported
and adjunct services to be added and decide if best implemented as a
standardized service independent of the mail system to allow greater
use.
-Doug