on 6/7/2003 6:01 PM Paul Vixie wrote:
Probably better to specify the gateway tagging, ...
and we're going to convey trust and credence through a nontrusted
system How?
We can discover without question who the first MT2 system in the path was,
and (assuming that identity information is required, which I do) that
gateway will also have had to present identity information about the
sender. All rules, recommendations, and supportive integrity mechanisms
aside, those are going to be your primary actionable knobs.
Assume that somebody like AOL embraces this system for private transfers
with some other large-scale provider. They probably won't update all of
their submission services beforehand, but instead will just map their
existing authenticated submission services to this system. EG, they'll
see who a particular mail message is from, locate the appropriate user
certificate in their private directory, and feed that into the system.
This same model can hold true for private Exchange, GroupWise, or SMTP
AUTH submission services. All of these are examples of gateways that can
leverage authentication services to map a sender certificate, even if
those networks aren't running MT2 as the native service.
So the problem isn't with "gateways" it's with unauthenticated senders.
Simply put, messages won't make it to the next-hop inside the MT2 transfer
network UNLESS the gateway provides a user cert for the sender identity;
the next-hop would otherwise just reject the message.
Gateway rules (which weren't discussed in any of the above) can give you
more information to act on. For example, you can set your defenses higher
if you see remnants of more than one legacy Received header, or if there
are other characteristics you don't like. Obviously gateways are going to
be necessary, so it's really going to be a question of being able to apply
the right kind of heuristics.
if smtp fallback is desired, it must be done in the sending user agent,
who upon not finding the SRV RR, could ask "try smtp instead?".
Conversion in either direction could theoretically occur at any point.
What cannot easily happen is for any message to get past the first hop of
the MT2 network without having entered at a system which did not have
access to user credentials.
[not to Paul, who already gets it: On the subject of identity-tracking,
this subject is a non-starter. Folks can gather and use all of the
identities they want from any number of ISPs and mail services (you can
call yourself WonderWoman(_at_)yahoo and nobody will care as long as it
validates). This is, in the end, the same level of anonymity that is
available with SMTP today]
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/