Serge wrote:
> > With respect to verifying that the sender is really the sender, there
are
> > two basic means. One is a digital signature, the other is MAIL FROM
AUTH=,
> > which is part of SMTP AUTH. In something of an ironic coincidence, I
just
> > heard back from Bill Shannon regarding JavaMail support for MAIL FROM
AUTH=,
> > and will CC the mailing list on my response.
> Yeah Noel, don't take this the wrong way, but I think cow's will fly
> before this approach. You've enumerated a string of unimplemented RFCs,
> libraries that don't support them, and have complex behavior that would
> be an inconvenience for non-adopters.
Are you referring to MAIL FROM AUTH= as the approach that would come in
second to airborne bovines in an aerodynamics contest? It is implemented
(albeit not by JavaMail), but it won't solve your general Internet desires,
and I wasn't proposing it as the ultimate approach.
> Spam and identity theft can probably scare a lot more money
> out of a VCs wallets these days...
It would be great to come up with something as elegantly simple as VERP for
authentication.
We would want broad support. I don't know anything broader than S/MIME.
One thing that I have seen is that the first time you send me mail, my MTA
will respond with an bounce message containing a unique URL. Using that URL
you can install a public key for me. That public key is generated by me,
and encoded for your e-mail address. I am a CA, but instead of providing
you with your own private key, from your perspective the key is my public
key. Most mailers make sending encrypted e-mail pretty easy. The key tells
me which address had received the key, and is thus eligible to use it.
Revocation and filtering are trivial, and handled by my MTA, requiring no
assistance from my MUA.
That is something we could build fairly readily. It does not handle mailing
lists, nor would it work with most web-mail providers. It is strictly 1:1,
and requires the sender to have an S/MIME capable MUA. The closest I have
seen so far that would handle a mailing list are some of the TMDA
techniques. On the other hand, you could expect a good list to be filtered,
and filter messages purporting to come from a list based upon known servers
for that list.
Raining milk yet?
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
