At 09:45 24-01-2009, David MacQuigg wrote:
I disagree. If a sender was expected to declare its identity (not a
machine name, but the identity by which the world will judge the
sender's reputation), then SMTP could say "good enough", the rest is
up to others.
Even if we wanted to have the HELO provide an identity along the
lines you described, we would not be able to make the change as the
protocol is widely deployed.
Nobody I know makes that assumption. A more reasonable assumption
is that the Bad Guys won't be able to use the identity of a Good Guy
who is honest and competent.
If we were to have such an identity, we would need a way to verify
it. As we step back and analyze the "flaws" of SMTP, we see that
they are there for a reason. What makes SMTP robust is that it works
for a wide range of use-cases. Using an identify in ways discussed
in this thread is somewhat at odds with decisions taken for RFC 5321
(see long discussion about MX records in the archive). Section 4.1.3
of RFC 5321 takes into account the problems for SMTP client to
determine how to identify itself. If you want a strong identity,
you'll have to deal with all that.
Regards,
-sm