Re: Client and server authentication for email (was: RE: Last Call: 'Email Submission Between Independent Networks' to BCP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 16:56 11/06/2005, John C Klensin wrote:
        (2) If the key issue is "be sure you are talking to the
        right server", then one could still use a
        challenge-response mechanism as long as the server were
        properly verified to the client.  Presumably that could
        be accomplished by client possession and verification of
        a server key or by an extra secret and handshake. That
        would presumably be "good enough" unless we also have a
        significant concern about sessions being hijacked once
        they have been properly initiated. I don't know the
        degree to which that is a practical concern (remember
        that SMTP sessions, especially pipelined ones, are
        typically pretty short and that, e.g., IMAP has
        provisions for in-session reverification although I
        believe they are still not intensively used).
        Conversely, if the server identity is not verified, or
        is verified only by the luser's receiving an
        incomprehensible warning message and clicking "accept"
        every time, then even encryption wouldn't seem to help
        much.

Yes. This is why I rise the multimodal general issue (can be check-back procedure, parallel exchanges, multichannels, multitechnology, etc.). This also goes with a generalised usage of IPv6 (identification of a permanent address - I do not think the IPSEC is of interest here as one never knows about the real end to end path?).
jfc



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]