ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TECH-ERROR/DOC-BUG: empty fields in -pra

2004-09-06 09:23:15
from [Alan DeKok] [Permanent Link] 

Stephane Bortzmeyer <bortzmeyer(_at_)nic(_dot_)fr> wrote:

Why only one? Why not a "Responsible-From" inserted at each
administrative organization boundary? (Like "Received" inserted at
each MTA boundary.)


  That would help, but not enough, due to the current deployment of
SMTP.

  SMTP is "end to end", in that clients talk directly to servers.
It's easy to validate the previous hop: you've got the IP.  email
*messages* aren't "end to end", or, at least, aren't *verifiable* to
be end to end, ias they could have been modified in transit, or
forged.  (Barring signed messages...)

  What you're talking about is changing the forwarding methodology from:

    message -> message' -> message'' -> message''' -> ...

  to:

    forward(forward(forward(forward(message))))

  The first method forwards messages which may, or may not, be related
to each other.  They certainly *appear* to be related, and the
"received" lines indicate some relationship, but that relationship is
difficult to follow or prove, as the whole PRA argument has shown.

  The second method "tunnels" the message though multiple forwarders.
Each forwarder not only accepts responsibility for the message, it
attests to the fact that other forwarders have accepted responsibility
for their behavior.

  In the security world, these methods are used to create multiple
nested virtual tunnels.  The tunneling & layering is *required*,
because the intermediaries know about only their neighbours, and don't
trust anyone else.  To first order, the number of nested tunnels
indicates the number of trust boundaries that the message has crossed.

  This method works for VPN's, because the sites doing the tunnelling
don't futz with the message content.  (They often can't, because the
content is itself signed and encrypted).  This method does NOT work
for SMTP, because there are too many broken MTA implementations which
change the message contents.

  So a "Responsible-From" inserted at each administrative organization
boundary would be a good idea, but it would have to be tied both to
the message, and to the party claiming responsibility.  That's hard.

  Alan DeKok.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: TECH-ERROR/DOC-BUG: empty fields in -pra, Stephane Bortzmeyer
Next by Date:  Re: consensus call on MUST/SHOULD language for TXT records, mazieres
Previous by Thread:  Re: TECH-ERROR/DOC-BUG: empty fields in -pra, Stephane Bortzmeyer
Next by Thread:  Re: TECH-ERROR/DOC-BUG: empty fields in -pra, Chris Haynes
Indexes:  [Date] [Thread] [Top] [All Lists]