The Smith Report

[Jonathan Care]

On Thu, 01 Jun 2000, Ian BROWN wrote:
[mysnip]
> One reason we should be telling users why such a "service" might have=20
> unintended consequences.

Agree 100%. Most of the commercial products I have seen do selective acti=
ons
based on content. Messages that cannot be parsed (PGP, passworded ZIP fil=
es,
etc) can be parked, bounced, etc.

Maybe the next version of the nym servers will stego everything into haik=
u :-)

> >I am gravely disturbed by the suggestion that we can afford to be smug=
 about
> >this issue because we are technically skilled, run a particular operat=
ing
> >system, or for that matter, have a number of PGP keyrings, nym address=
es, and
> >run anonymous remailers in our spare time.
>=20
> I was not intending to be smug, simply pointing out that if the (obviou=
s) fact=20
> that SSL between sendmails leaves the end-points vulnerable concerns yo=
u, move=20
> the end-points.

I apologise for the word "smug" - it was certainly not intended to be an =
attack
on you (end of a stressful day). SSL traffic however can be layer-4 route=
d - to
null0 if desired, or to a "middleman" server. Although I would presume th=
at an
SMTP server which used PKI for authentication would safely be able to acc=
ept
"all comers", we all know that currently, many SMTP servers will only acc=
ept
mail from a limited set of sources, in an attempt to limit spam.

> Netscape 4 has an option to run SSL to an SMTP server. If it also allow=
ed mail=20
> to be delivered direct to the recipient's server, it would remove one=20
> end-point. That certainly doesn't require a root password.

As long as the legislative framework doesn't make the risk of operating t=
he
technical infrastructure in this way, then that is excellent. I guess tha=
t will
bypass all the DUL restrictions, etc.

--=20
Jonathan Care - +44 (0) 7061 170337
Nobody does it better, makes me feel sad for the rest.