[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

> From mrroach@okmaybe.com Tue Aug  5 14:27:40 2003
> On Tue, 2003-08-05 at 11:19, Steve Lamb wrote:
> > On 05 Aug 2003 10:59:52 -0400
> > Mark Roach <mrroach@okmaybe.com> wrote:
> > > You do care if someone else pretends to be you and makes you look bad
> > > though, don't you? It's really not hard to do.
> > 
> >     He does.  In fact he perports that C-R is a better defense than PGP.

No. I didn't ever say anything like that.

> I've gone searching for the rest of the thread (since the parent seems
> to keep breaking threads) and don't see anything that indicates how
> challenge response can be used to validate identity... 

No. They don't. Nor did I ever say they did.

> how does challenge response help if I post on debian-user and set my
> From: header to say "Steve Lamb <grey@dmiyu.org>" and rant and rave
> against debian in general and other users in particular? Obviously you
> can't prove a negative there, but it is more believable if you say "it
> wasn't me" if you normally sign your messages.

It doesn't. And I never said it would.

> > > > 2) They are a an extreme violation of netiquette
> >  
> > > Please point me to the rfc for netiquette. There is no "one true
> > > netiquette"
> > 
> >     Erm, actually... 1855.
> > 

There are conventions. Maximum of 4 line sigs, for one thing. That one is
hard-coded into SLRN, although you can disable it.

> >From rfc 1855:
> "This memo provides information for the Internet community. This memo
> does not specify an Internet standard of any kind. Distribution of this
> memo is unlimited."
> also from that rfc (although written in reference to news):
> "Forging of news articles is generally censured. You can protect
> yourself from forgeries by using software which generates a manipulation
> detection "fingerprint", such as PGP (in the US)."
> So even though it is not a real Internet standard, it indicates that pgp
> is an appropriate measure to "protect against forgeries"
> -Mark

Mark, you are dealing with people who are misrepresenting CR programs.

Not one word of the above has ANY relevance to them.

For one thing, they have nothing to do with Usenet. For another, they have
nothing to do with identity verification.

I received mails from 8 people today who are using MSP and happy as can
be about it.

Neither they nor I care one whit whether anyone likes  CR programs or not.


      For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program. 
         See: http://tinyurl.com/inpd  for the scripts and docs.

Reply to: