[Asrg] Authentication tokens
gep2@terabites.com Fri, 20 June 2003 22:15 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12576 for <asrg-archive@odin.ietf.org>; Fri, 20 Jun 2003 18:15:31 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5KMF4326640 for asrg-archive@odin.ietf.org; Fri, 20 Jun 2003 18:15:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TU9w-0006vb-NI for asrg-web-archive@optimus.ietf.org; Fri, 20 Jun 2003 18:15:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12507; Fri, 20 Jun 2003 18:15:00 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19TU9t-0003v9-00; Fri, 20 Jun 2003 18:15:01 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19TU9t-0003v6-00; Fri, 20 Jun 2003 18:15:01 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TU9u-0006tC-AF; Fri, 20 Jun 2003 18:15:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19TU9r-0006sX-O2 for asrg@optimus.ietf.org; Fri, 20 Jun 2003 18:14:59 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12481 for <asrg@ietf.org>; Fri, 20 Jun 2003 18:14:55 -0400 (EDT)
From: gep2@terabites.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19TU9p-0003v3-00 for asrg@ietf.org; Fri, 20 Jun 2003 18:14:57 -0400
Received: from h008.c000.snv.cp.net ([209.228.32.72] helo=c000.snv.cp.net) by ietf-mx with smtp (Exim 4.12) id 19TU9o-0003v0-00 for asrg@ietf.org; Fri, 20 Jun 2003 18:14:56 -0400
Received: (cpmta 18001 invoked from network); 20 Jun 2003 15:14:55 -0700
Received: from 12.239.18.238 (HELO WinProxy.anywhere) by smtp.terabites.com (209.228.32.72) with SMTP; 20 Jun 2003 15:14:55 -0700
X-Sent: 20 Jun 2003 22:14:55 GMT
Received: from 192.168.0.30 by 192.168.0.1 (WinProxy); Fri, 20 Jun 2003 17:14:42 -0600
Received: from 192.168.0.240 (unverified [192.168.0.240]) by nts1.terabites.com (EMWAC SMTPRS 0.83) with SMTP id <B0000024129@nts1.terabites.com>; Fri, 20 Jun 2003 17:41:49 -0500
Message-ID: <B0000024129@nts1.terabites.com>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
To: asrg@ietf.org
X-Mailer: SPRY Mail Version: 04.00.06.17
Content-Transfer-Encoding: 7bit
Subject: [Asrg] Authentication tokens
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Fri, 20 Jun 2003 17:41:49 -0500
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
>> Authentication tokens typically require special software > provisions on the part of both the sender and the recipient. > You're new to the list and thus have probably missed some of the earlier discussion. Indeed, and thanks for understanding that. :-) > While authentication tokens *typically* require software support at both sender and receiver, there is a class of them that only requires software support on the receiver side. These are the "single user" addresses. I might, for instance, create an address that authorized you to send me mail. Such an address would look something like: "bob+1092837@example.com". The "token" part of this address would be a hash of your "From:" address. With such an address, you don't need any software on your side to pass the token. The first problem I see with that is that you basically cannot give your E-mail address to anybody without a) knowing EXACTLY what E-mail address they'll be replying from, and b) being able to compute on-the-spot the hashcode they'll need to write you. Besides the issue of TWO users in such situation trying to decide what E-mail address to give the other (where EACH's E-mail address will depend on the other's address... and neither can give their E-mail address first!) there's also (for instance) the case of a mailing list like this one... where each person's E-mail address they use for subscribing to the list will appear in the messages posted to the list, but nobody other than the listbot can possibly reply to them using that address. While an interesting curiosity, I think that has a lot more problems than my permissions-based approach. Now, one POSSIBLE hybrid that COULD be interesting maybe is to say that E-mail arriving without the code token in the E-mail address would be handled differently somehow with regard to the permissions list... although at first blush, I don't see that it buys you a whole lot that you don't already get from just using the sender/recipient address pair to begin with. >> The whitelist I propose NEVER needs to be sent to anybody, > ... only just the point where the filtering is done. > Even if never sent to anyone, there is still a privacy concern with whitelists since if they are explicit lists, they provide a single list of all of your correspondents. Actually, they ONLY provide a list of those to whom you have assigned "special" rights. ISP's e-mail logs ALREADY give those ISPs a list of everyone you've ever received mail from, or sent mail to, so I think your argument doesn't really impress me very much. > In many cases, people will feel that compiling such a list is a risk to their privacy since such a list would be open to inspection by government agencies under some circumstances and to employees of an ISP if the list is maintained remotely. Again, a red herring... those logs (lists) already exist. > Even if only maintained on your personal machine, it could be embarrassing if people with physical access to your machine could discover the full universe of your correspondents. They could do the same thing (with access to your machine) by investigating your E-mail archives and address book. Far (far!!) more revealing than ANY mere list of trusted senders and the permissions assigned to each. Gordon Peterson http://personal.terabites.com/ 1977-2002 Twenty-fifth anniversary year of Local Area Networking! Support the Anti-SPAM Amendment! Join at http://www.cauce.org/ 12/19/98: Partisan Republicans scornfully ignore the voters they "represent". 12/09/00: the date the Republican Party took down democracy in America. _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Authentication tokens gep2
- Re: [Asrg] Authentication tokens Jon Kyme