on 6/7/2003 6:01 PM Paul Vixie wrote: >>> Probably better to specify the gateway tagging, ... > > and we're going to convey trust and credence through a nontrusted > system How? We can discover without question who the first MT2 system in the path was, and (assuming that identity information is required, which I do) that gateway will also have had to present identity information about the sender. All rules, recommendations, and supportive integrity mechanisms aside, those are going to be your primary actionable knobs. Assume that somebody like AOL embraces this system for private transfers with some other large-scale provider. They probably won't update all of their submission services beforehand, but instead will just map their existing authenticated submission services to this system. EG, they'll see who a particular mail message is from, locate the appropriate user certificate in their private directory, and feed that into the system. This same model can hold true for private Exchange, GroupWise, or SMTP AUTH submission services. All of these are examples of gateways that can leverage authentication services to map a sender certificate, even if those networks aren't running MT2 as the native service. So the problem isn't with "gateways" it's with unauthenticated senders. Simply put, messages won't make it to the next-hop inside the MT2 transfer network UNLESS the gateway provides a user cert for the sender identity; the next-hop would otherwise just reject the message. Gateway rules (which weren't discussed in any of the above) can give you more information to act on. For example, you can set your defenses higher if you see remnants of more than one legacy Received header, or if there are other characteristics you don't like. Obviously gateways are going to be necessary, so it's really going to be a question of being able to apply the right kind of heuristics. > if smtp fallback is desired, it must be done in the sending user agent, > who upon not finding the SRV RR, could ask "try smtp instead?". Conversion in either direction could theoretically occur at any point. What cannot easily happen is for any message to get past the first hop of the MT2 network without having entered at a system which did not have access to user credentials. [not to Paul, who already gets it: On the subject of identity-tracking, this subject is a non-starter. Folks can gather and use all of the identities they want from any number of ISPs and mail services (you can call yourself WonderWoman@yahoo and nobody will care as long as it validates). This is, in the end, the same level of anonymity that is available with SMTP today] -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/