Authenticating email

Jonathan B. Bayer pmmail@rpglink.com
Wed, 03 May 2000 08:30:14 -0400 

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 03 May 2000 00:26:09 -0400 (EDT), Philip R. Mann wrote:

>Recently there was a thread on authenticating email.  Perhaps the
>solution lies with ISPs rather than PMMail.

But the same problem exists.  All the ISP can do is certify that a
message was delivered to a computer on a specific date/time.  There is
no way to verify that the computer in question was owned/controlled by
a specific person.  A user can always claim that his/her
userid/password/encryption key/computer were stolen.

Admittedly, this is still better than nothing.  What would be more
secure is some sort of active verification, which uses a
challenge/response series of questions to positively identify the user.
 But I can't imagine many people putting up with that sort of delay. 
For example, I have PMMail set to check my mail every 10 minutes.  I
would not put up with having to authenticate myself more than once a
day, which would make a challenge/response verification somewhat
useless if a connection is made and broken that often.  Perhaps a
single verification in the morning, and then the server & client would
exchange a unique session id which would be valid for a day would work.

This would require both mail clients and mail servers to work together
on this, something that currently isn't happening.  This would probably
require another RFC, which would take years to get generally accepted,
and then more years for all the software to become compliant with it.


JBB
- --
ICQ # 44910403
Power Listviewer URL:   http://www.bigfoot.com/~PowerListviewer
PMMail Archiver URL:    http://www.bigfoot.com/~Jonathan_Bayer/archiver

For PGP Public key block/Fingerprint send the following message to me as the Subject:
        Send PGP Signature

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQCVAwUBORAb1I1F3x2FJJilAQH0PwQAsYm5M6vWUSSN/VlXOUD/lqDh88AYwKaD
I6E6WYgTfUfeVJ+OpuT/xQF8o6LX4i0X7q79/IypoB/9fIA8RGOWhxj+JZE3NlYf
aswkhKGpjHy5BlDOgZemhQIYqWSOav2QNRVBnA86XGBBW4thXTGCgLzeL7xCZ77q
01C4ZUSkS4U=
=ttdf
-----END PGP SIGNATURE-----