On 2/1/2004 5:47 PM, Jari Arkko wrote:
I think the hard question is what level of "authentication" to require.
I am pretty sure 99.99% of users want better protection against
spoofed addresses than we currently have. But I am not sure they are
willing to go as far as mandating a global PKI of all e-mail users. So
what's left, then? Just verifying the two domains but not the users?
Self-signed certificates and ensuring that all messages from the same
address come from the same entity, but not ensuring that the claimed
identities are really correct? Weak form of sender address verification
through asking the sender's mail server to check the claimed address
can actually receive messages and that the message ID is valid?
Something else, what?
I don't think it would need to go beyond domain-level verification; if the
sender is using a domain that validates the certificate[*], then it's
pretty safe to ass-u-me that the certificate is valid (or they lost their
private key, at which point they need new certs, etc).
There are non-exclusive mechanisms available at that scope. You could
validate delegated certs against a local store (like now), while using
some kind of lookup (DNS, reverse-connect to server, whatever) for
self-signed certs, or to blur the distinction if you wanted.
As was already stated, trust brokers that assign credibility to specific
domains (regardless of the mechanism used to validate the certificates)
are going to be of equal or greater importance.
[* All of the above assumes certs, which is not a foregone conclusion.]
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/