ietf
[Top] [All Lists]

RE: digital signature request

2004-02-26 08:36:27
From: "Robert G. Brown" <rgb(_at_)phy(_dot_)duke(_dot_)edu>

...
It has been pointed out several times now that unless you are willing to
receive mail only from a small, closed group of individuals that all
agree to use digital signatures and whose mail you whitelist while
blacklisting EVERYTHING ELSE you are right back where you are right now.
...

If you are interested in that model, then you do not need any fancy
cryptography, certs, pretty good encryption, S/MIME, or anything else
not already present in all SMTP mail.  You can whitelist using bits
that are already associated with every SMTP mail message and in
the body delivered to your MUA if your MTA is not broken junk.

Ever mail message carries a practically unforgeable (for spammers)
token identifying its source.  That token is the IP address of the
SMTP client.  If your MTA is reasonable, it is included in the Received
header it adds.  You only need fancy extra stuff if you cannot arrange
for your community to use only trustworthy MTAs or if your traffic is
worth the thousands of dollars (or equivalent labor) that breaking
security based on IP addresses requires.

Yes, I've heard of Bellovin, Mitnick, RFC 1948, etc. so forth and so
on and on.   TCP ISN faking is harder now than it used to be.  It was
always incompatible with the "bulk" in "unsolicited bulk mail."


The spam problem starts with accepting mail from strangers.  Give
up that design goal, and spam disappears.  So does much of the
justification for mail.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com



<Prev in Thread] Current Thread [Next in Thread>