[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication and email

To: phoffman@imc.org, wgchairs@ietf.org
Subject: RE: Authentication and email
From: Black_David@emc.com
Date: Mon, 3 Feb 2003 15:49:51 -0500

> Following this logic, the only way to use S/MIME or PGP to reduce
> spam is for IETF mailing lists to reject all mail from unknown
> senders, and to reject all unsigned mail from known senders. This
> would certainly reduce spam; it would also reduce valid mail from new
> participants and from current participants who are sending from
> machines that are not set up the way their other machines are.

Rather than continuing this discussion of how to use S/MIME or PGP
to prevent people from doing things, how about considering how we could
use them to enable things that aren't otherwise possible/permitted.
Any such usage should be "opt in" rather than mandatorily enforced.

For example, at the moment, most IETF mailing lists are in moderated
mode, where mail from unknown senders gets held for the moderator.
If one doesn't want to wait for the moderator, one has to subscribe
to the list.  What if the IETF maintained a list of people who have
registered S/MIME or PGP keys and subscribed to at least one IETF
list, and allowed email from them to any IETF list without moderation?
We'd need an appropriate revoke mechanism to allow any list moderator
to determine that someone has posted inappropriately and revoke this
privilege.  That might be enough of a benefit to get some people to
opt in.

This sort of mechanisms has a couple of other useful benefits:
- It can protect against the future spammer who figures out one of
	the email addresses that bypasses moderation for all IETF lists
	(there are a few, and we all know what they are) and forges 
	that address as the source of the spam.  It also makes it
	possible to enlarge the list of always approved email addresses
	significantly (e.g., add the entire I*).
- It protects IETF participants against the next worm that sends
	email from person A's computer forging  person B's email
	address as the source, bypassing the moderation filtering
	because B is a list member.
Based on the number of pointed complaints I received as a list
moderator after the last worm that forged known source addresses,
I suspect that we'd see a good number of people deciding to opt in
to this sort of mechanism after the next such worm outbreak.

Thanks,
--David

Prev by Date: Re: sole-sourceing IANA function to ICANN for next 3 years (fwd)
Next by Date: Re: aaaa rrs, icann, and rssac
Previous by thread: Re: Authentication and email
Next by thread: RE: Authentication and email
Index(es):
- Date
- Thread