Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[Geoff Huston <gih@apnic.net>]

Resent for Francis Dupont, as his pointing was bounced by the him6 
list manager (non-member submission

======================
In your previous mail you wrote:

   > => STARTTLS (the mechanism which encrypts the SMTP session) has
   > authentication and this doesn't solve what you believe this solves.

   Well, not if you turn off authentication:

=> this is a particular setup implied by an operational consideration:
authentication can be done only with a global PKI when unknown peers
should be accepted.

   There has been a lot of debate on whether having authentication in
   email

=> STARTTLS is not email, it is only about MTA-MTA transport.

   will solve the various problems that plague it. It won't solve
   some (spam will remain to some degree if you want to be able to
   receive messages from people you don't know) but it will solve others
   (all those bounces from spam messages that use my domain).

=> this has nothing to do with real authentication, it is more
related to ingress filtering. And as you can see, it is pretty
inefficient because any action at the MTA-MTA transport level is
defeated by indirect delivery (it is the same for grey listing,
and unfortunately it will be the same with real authentication using
a global PKI).

   But encryption won't help with any of this.

=> encryption is in this context the defense against eavesdroppers.

Regards

Francis.Dupont@point6.net
==================