Douglas Otis wrote:
Agreed, crypto offers recognition of previous encounters. A desire to
make exchanges that traverse LSNs is clearly where something like
Kerberos tickets can play a suitable role in offering a low overhead
process. Kerberos can also offer a lower frequency rate where it
remains practical to identify all domains prior to issuing tickets.
Reputations MUST BE based on AUTHENTICATED identities.
I am not sure Kerberos is suitable as you may think for public port
SMTP market. I can see it works well when employed with centralized
vendor networking and control is in place and timing can be
auto-configured among clients
But it does requires time synchronization across the board and I think
its quite unrealistic (to achieve reliably) in a *decentralized* SMTP
public port environment of different servers and clients. Note the
emphasis on decentralized.
Of course, the #1 reason it doesn't apply in an public port 25 SMTP
standard is because it can not be enforced. And I should note that
the discussions regarding 4yz policy based rejections w/o time hints,
to me, was understood to be only applicable to unauthenticated,
anonymous senders. Once a sender is known by any form of
authentication, policies such as greylisting or other sender filtering
methods should not be applied. I know there is the possibility of a
compromised user, but thats a different set of issues (and most
complex, costly considerations) in my opinion.