Re: we aren't the enemy, but it's hard to prove it

[Chuq Von Rospach]

On 4/30/01 8:42 AM, "James M Galvin" <[EMAIL PROTECTED]> wrote:

> My model was down one more level.  I was imagining sites "subscribing"
> to the service.  Thus the service could be used at the SMTP level but
> could also be used later.

Something like ORBs, but as a whitelist?

>   What we really need (or perhaps already have and I just don't know
>   where to find it) is an authenticating mechanism between mail
>   gateways - something that gets you safely across "untrusted hops"
>   and into someone's trusted domain.

Actually, I don't agree.

The *real* solution here is a way to authenticate an e-mail address. As long
as I can create e-mail from any address I want, and a receiving site can't
verify that it actually came from that site, the rest is plugging thumbs in
the dike. And that means some kind of public key authentication.

You want to fix all this, make an email address verifiable, and start
rejecting everything that won't verify. Until you do, it's always patches
and hacks that the spammers will find ways to work around.

And, of course, turning this around -- until there's a reliable public key
infrastructure that's easy to use and hard to hack  AND someone convinces
AOL to buy into it and write it into their software so AOL users *can* use
it, it'll never happen. And given how quickly AOL adopts standards in their
software....