Reposting as it did not go out to the list
Again as I say/ask this with all respect
Since those maintaining domains and networks know who can send and where it
should come from, it seems the goal is to set up a mechanism for communicating
that so others will know it when they receive a message, correct? The goal is
to know whether a message did indeed come from that domain, correct?
Simplistically speaking, since domains/networks know how they are configured,
why not have a mechanism that can sit on their domain and verify to those
asking if a message came from their domain or network rather than trying to
explain their whole setup to everyone? Likewise for those receiving the
message have a mechanism that does the same thing in reverse. (for full
disclosure this process is also something we have patent claims and working
code on) That way you don?t have to list all of your users, ips, basically
diagram your whole network setup to everyone.
It seems to me that is you make all of your users, specific ips, etc available
for everyone to see and know more information about upon request, that may lead
to security problems we haven't even thought of yet, least of which is every
spammer having the ability to associate an email address with the appropriate
ip, where as now for mass mailing of spoofs they would have to guess. Wouldn't
people rather be able to say "yup, it came from me and that?s all you need to
know, I'll keep the rest private thank you."?
Again, this is all spoken with the utmost respect.
Bill McInnis
Messagelevel.com
-----Original Message-----
From: Jon Kyme [mailto:jrk(_at_)merseymail(_dot_)com]
Sent: Friday, June 18, 2004 11:23 AM
To: Bill Mcinnis
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: RE: Alternative to TXT or new RR
Bill Mcinnis wrote:
I think what we are working on falls into the authorization part of
this charter, unless I have that defined wrong. Could someone please
explain the difference as you all see it just so I am clear. Again, I
am trying to find the right place to go with this and keep getting
shot down. It is frustrating because while you all are talking about
getting working code, we already have it.
AFAIK "Message Level Authentication", is concerned with answering "the
fundamental question plaguing email today: 'Did you really send me this
email?'", whereas this group has a charter to come up with a mechanism to
enable "those maintaining domains and networks [...] to specify that individual
hosts or nodes are authorized to act as MTAs for messages sent from those
domains or networks"
This difference may be easier to understand if you consider how you'd use
either system *without* a message in hand:
MARID:
Q. domain name, IP
A. Yes | No
Message Level Authentication:
Q. Did you really send me this email?
A. What email? What are you on about? Are you on drugs?
Regards,
JRK
----
This outgoing message is guaranteed to be authentic by MessageLevel users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.