On 8 Feb 2004, Paul Crowley wrote:
You're still thinking too much like today's protocols. The correct
requirement is
- Users should have a way of authenticating themselves to a website as
a recipient of a particular email address
Challenge-response is only one way of achieving this, and it's a
rather clunky way.
You're still thinking too specific. Challenge-Response does not have to be
through website (in fact in our requirement for email we should avoid
talking about other protocols such as HTTP all together - that protocol
may well change as well), that leaves only the following: "User should have
a way of authenticaing themsleve as recepient of particular email address"
But that is just the same as saying that there is a need for authentication
in the email and we already had that. In my view challenge response has
been too often overused where just authentication would have been enough
(this was particularly clear about ASRG document which they should not have
tried to label challenge-response and it only hurt it, but this is OT)
On the other hand one thing specific about challenge response is that its
primarily when it was invented was to authenticate that there is a
"human" reading the email (rather then that some machine code would be
able to authenticate itself to help the mail get through), this is
particularly clear in all the kind of challenges that are done. As we have
already discussed briefly need to diffferntiate email destined for human
and machine consuption (when talking about fax), it might bring in the
following possible restatement of Challenge-Response requirement:
- Individual users should have way to authenticate themselve as humans
(for messages oriented for human consumption)
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net