Authentication and Authorization are two separate and distinct
issues. TLS and Authentication have been around for quite a while, but
without centralized authorization it will never be deployed by disparate
corporations for inter-domain mail! This will not stop spam. Unless of
course you want to manage user accounts or certificates with every
single customer that you want to have conversations with. Authorization
must still be authorized by a third party agency which verifies
validity between everyone involved in communications.
LP
Best Regards,
Larry
Larry Pingree
"Visionary people, are visionary, partly because of the great many
things they never get to see." - Larry Pingree
) single customer that you want to have conversations with. Authorization
) must still be authorized by a third party agency which verifies
) validity between everyone involved in communications.
You seem to be making a case for only accepting GPG-signed email, or at best
only accepting SMTP connections over SSL with a certificate issued by a
trusted CA. These both go to identity, though, not authorization.
I do not see an obvious way for a third party to verify that two entities
can validly communicate with each other--unless both entities are involved
in making that decision, or both parties have agreed on some set of criteria
beforehand. If you are simply after identity-tracking, there are ways to
enforce that other than creating a new "email server registry." If you mean
to suggest that you want someone else to decide who should be able to talk
to you--using their own criteria--it does not sound like you are proposing
something I would opt to be a part of.
Larry Pingree [25/06/04 12:47 -0700]:
Authentication and Authorization are two separate and distinct
issues. TLS and Authentication have been around for quite a while, but
without centralized authorization it will never be deployed by disparate
I'm sure the IETF MARID list would be delighted to hear it, if you have any
--srs