Authentication and Authorization are two separate and distinct issues. TLS and Authentication have been around for quite a while, but without centralized authorization it will never be deployed by disparate corporations for inter-domain mail! This will not stop spam. Unless of course you want to manage user accounts or certificates with every single customer that you want to have conversations with. Authorization must still be authorized by a third party agency which verifies validity between everyone involved in communications. LP Best Regards, Larry Larry Pingree "Visionary people, are visionary, partly because of the great many things they never get to see." - Larry Pingree -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, June 25, 2004 12:14 PM To: Larry Pingree Cc: jshen@spymac.com; nanog@merit.edu Subject: Re: Unplugging spamming PCs On Fri, 25 Jun 2004 09:11:36 PDT, Larry Pingree said:
What I am proposing is have a registry that you must register with before other mail servers will accept mail from you. Similar to
how
MAPS RBL works, but the mail server itself, enforces it, rather than a firewall or a ancillary device ACL. This could be made a standard of SMTP.
Yet another "it won't do any good till everybody deploys it". http://www.rhyolite.com/anti-spam/you-might-be.html
On 2004-06-25T12:47-0700, Larry Pingree wrote: ) single customer that you want to have conversations with. Authorization ) must still be authorized by a third party agency which verifies ) validity between everyone involved in communications. You seem to be making a case for only accepting GPG-signed email, or at best only accepting SMTP connections over SSL with a certificate issued by a trusted CA. These both go to identity, though, not authorization. I do not see an obvious way for a third party to verify that two entities can validly communicate with each other--unless both entities are involved in making that decision, or both parties have agreed on some set of criteria beforehand. If you are simply after identity-tracking, there are ways to enforce that other than creating a new "email server registry." If you mean to suggest that you want someone else to decide who should be able to talk to you--using their own criteria--it does not sound like you are proposing something I would opt to be a part of. -- Daniel Reed <n@ml.org> http://people.redhat.com/djr/ http://naim.n.ml.org/ There are people who do things and people who take the credit, and the trick is to be in the first group; there is a lot less competition. -- Dwight Morrow, American Diplomat
Larry Pingree [25/06/04 12:47 -0700]:
Authentication and Authorization are two separate and distinct issues. TLS and Authentication have been around for quite a while, but without centralized authorization it will never be deployed by disparate
I'm sure the IETF MARID list would be delighted to hear it, if you have any --srs -- suresh ramasubramanian suresh@outblaze.com gpg # EDEDEFB9 manager, security & antispam operations, outblaze limited
participants (3)
-
Daniel Reed
-
Larry Pingree
-
Suresh Ramasubramanian