On Mon, 20 May 2002 00:58:40 -0400 kirk Bailey <[EMAIL PROTECTED]> wrote:
> n short, we can't techno fix it, so live with it, is this a accurate > summation of your position? No. The problem is obviously fixable if you and the users are willing to pay the prices. Given the political and human nature of the problem I've quite clearly pointed at where I see the "solution" (ie an address which is tolerable and even attractive enough to users to be used enough to be effective): PKI-based audit trails. It really doesn't matter if those audit trails are user based (ie per-user digital signatures) or reverse-auditable (as discussed previously) TLS signatures embedded in Received: headers. For what I hope are fairly obvious reasons I prefer client-side signatures, but they suffer from scalability and deployment issues, especially with regard to legacy systems. Hitting it at the TLS level has problems in that it requires non-trivial updates to the protocol specs, especially as regards gateways that do format or charset translations (non-trivial problem), but it involves few systems, and unlike client-side involves the effort and expense of those people most concerned and affected by the lack of audit trails, and are who tend to be more knowledgeable about the area in general: MX operators. Note that nothing prevents both approaches simultaneously. BUT, either approach requires widespread PKI deployment and adoption which is a non-trivial pre-condition. The former also requires widespread MUA support. The latter requires widespread MTA support. At a human and political level the latter is an easier and more approachable problem. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
