This is a tactic I have seen time and again: There is no time to do the job properly, so the only alternative is to do things my way, MY WAY, CANT YOU IDIOTS HEAR ME?? M-Y W-A-A-A-A-Y-Y-Y-Y-Y-Y! And every time this happens with a ludicrously short time horizon the result is the same, years after the original deadline has passed the group is still nowhere and still trying to solve a problem with the same inadequate analysis and solution. I went to an SDMI conference in London four or five years ago, their deadline was by Christmas... I don't think they have got any further since. Challenge response is not a new scheme, ask Nathaniel he had a challenge response on his email system years ago. Either he whitelisted me or he has stopped using it. If the latter perhaps he could explain why? The problem with challenge response is that it does not eliminate spam, it merely displaces it. Every time a message is sent to one of these people they send out a spam. Challenge response is simply a weak form of authentication. There are existing known attacks that bypass it - the hijacked mailing list being only one example. If all that is required is to reply to the challenge spam senders will soon adapt. If C/R became common then so would the counter-strategy. There are much better forms of authentication possible that are stronger and less intrusive to the end user. S/MIME with self signed keys being one. 90% of all email clients in use today have native S/MIME support, plugins for the rest are readily available. Even authentication on the basis of the IP address of the outgoing mail servers is more secure than C/R. It is true that attacks exist but they are not as simple as those for C/R. Phill
Attachment:
smime.p7s
Description: application/pkcs7-signature