[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: more on starttls, gnutls-cli and using tls for mail

From: Stephen J. Turnbull
Subject: Re: more on starttls, gnutls-cli and using tls for mail
Date: Thu, 18 Aug 2011 12:11:14 +0900

Tim Cross writes:

 > Thanks Karl. It seems there are use cases for using different
 > authenticated users based on the from/reply address being used.
 > However, it should be noted that this is not due to any requirement
 > or limitation of smtp

Lack of a standard authentication method *is* the limitation of
email-as-we-know-it.  As Chad points out, there are various standards
available, but SMTP itself knows about none of them, and therefore
none are reliably available.

There is a fundamental requirement of email-as-we-know-it, that it be
a way for any dog on the Internet to get in touch with you.  (This is
why Karl and Chad have so many addresses: "address@hidden" means
nothing to most latent correspondents, while "address@hidden"
does, to some fraction that Karl cares about.)  On the other hand, the
fact that among the dogs is Dogbert (aka Canter/Seigel et al, not to
mention even less lovable folk such as stalkers) means that private
mailboxes are widely desired.

Lack of a standard authentication method *at the receiving end* means
that there's no single way to identify mail from expected senders at
your *private* mailbox.  Lack of a standard authentication method *at
the sending end* means there's no way to guarantee you'll be
recognized by the recipient's private mailbox.  So there's no way to
implement reliable private mailboxes.  Not even security-via-obscurity
works because your ISP may filter, *must filter*, based on something
other than sender credentials.

It should be obvious that users will evolve complex, *idiosyncratic*
methods to deal with this complex environment, as recipients and
senders implement a variety of partially coordinated solutions to the
problem of protecting mailbox privacy where desired.

I don't know whether this means that smtp-auth-credentials is needed
to implement such methods (presumably not, Are We Not Hackers?), but
I'm a bit surprised that a project sufficiently conservative about
email that RMail is its default MUA didn't follow the usual process of
obsolete'ing the variable before, uh, jerking the rug out from under
people's .emacs'es.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]