Re: Challenge-response mail filters considered harmful
On Tue, 2003-08-05 at 11:19, Steve Lamb wrote:
> On 05 Aug 2003 10:59:52 -0400
> Mark Roach <firstname.lastname@example.org> wrote:
> > You do care if someone else pretends to be you and makes you look bad
> > though, don't you? It's really not hard to do.
> He does. In fact he perports that C-R is a better defense than PGP.
I've gone searching for the rest of the thread (since the parent seems
to keep breaking threads) and don't see anything that indicates how
challenge response can be used to validate identity...
how does challenge response help if I post on debian-user and set my
From: header to say "Steve Lamb <email@example.com>" and rant and rave
against debian in general and other users in particular? Obviously you
can't prove a negative there, but it is more believable if you say "it
wasn't me" if you normally sign your messages.
> > > 2) They are a an extreme violation of netiquette
> > Please point me to the rfc for netiquette. There is no "one true
> > netiquette"
> Erm, actually... 1855.
>From rfc 1855:
"This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of this
memo is unlimited."
also from that rfc (although written in reference to news):
"Forging of news articles is generally censured. You can protect
yourself from forgeries by using software which generates a manipulation
detection "fingerprint", such as PGP (in the US)."
So even though it is not a real Internet standard, it indicates that pgp
is an appropriate measure to "protect against forgeries"