Re: Authentication and email

[Gonzalo Camarillo <Gonzalo.Camarillo@lmf.ericsson.se>]

Paul,

Paul Hoffman wrote:
> S/MIME and PGP are used for
> authenticating the content of the messages, not for authenticating
> the sender.

Providing integrity without providing data origin authentication is
useless. And, of course, S/MIME provides data origin authentication.

> If that doesn't make sense to you, please go read the
> protocols: they're all on standards track and have been for many
> years. Summaries and links to the RFCs can be found at
> <http://www.imc.org/smime-pgpmime.html>.

Well, you can use S/MIME with self-signed certificates in a SSH-like
fassion to authenticate the sender of a SIP MESSAGE, for instance.

Once you can authenticate a user, the spamer needs to really subscribe
to the mailing list in order to send SPAM. Right now, using a forgued
>From field is enough. No subscription needed.

And even if you believe that authentication of users buys you nothing
regarding SPAM prevention, at least we would be *implementing* security
int he IETF mailing lists, which was Dean's original argument.

Any user agent that can send instant messages using SIP, MUST implement
S/MIME... if we believe that it is acceptable to send emails to the IETF
mailing lists without using any kind of security, why do we mandate
S/MIME for instant messages? That was the issue Dean was talking about.
3GPP was strongly opposed to that MUST S/MIME, but we insisted that it
had to be in the spec.

Gonzalo