I've kept fairly quiet (list volume has kept me falling behind almost consistantly), but I'll stick my head in here. Thus spake Dave Crocker (dhc@dcrocker.net) [06/05/03 11:21]: > ps. It strikes me that the RMX proposal is conceptually similar to the > old IDENT specification which purported to offer wonderful security but > was soundly rejected by the security community. The big difference is that IDENT is a per-user authentication mechanism, where as RMX is a per-domain authentication mechanism. IDENT gave you the ability to figure out which users were on a system. RMX just tells you the outbound MX for a domain. I don't see the massive security concerns. Being somewhat security-conscious, I /do/ see /small/ problems with the RMX record, specifically when talking about things like mixmaster. But the easy workaround is that mixmaster's either shouldn't use RMX, or should use RMX on the inbound (I haven't played seriously with the project, so my concept could be way off, but if they verify that mail coming in to the network is valid, then in turn, mail going out of the network remains valid, and is still anonymous. However, it does add a point of concern to inbound mail, but I don't believe it to be massive. If you wish to debate this point, mail me directly -- my ears are opened to corrections). Anonymous remailers could set up their RMX to be 0/0. So then spammers move to using mixmasters to send their mail. Well, short of legislation, I don't see any way to identify the valid source of spam once it gets in to a mixmaster setup. So all that really happens is that things like open relays and open proxies become less and less valuable, and anonymous remailers become infinitely more popular. However, they are no more /valuable/ than they are right now -- the provide the same service, they do the same thing.
Attachment:
pgp00086.pgp
Description: PGP signature