Slashdot Mirror

← Back to Stories (view on slashdot.org)

Revising the Internet Email Infrastructure

Posted by michael on from the starting-over dept.

Lauren Weinstein writes "People For Internet Responsibility (PFIR) today released a white paper aimed at starting discussion and work to fundamentally revamp Internet e-mail systems to control spam, forgeries, and a range of other problems, while empowering e-mail users rather than ISPs." Excellent start.

12 of 311 comments (clear)

  1. PGP by Richardsonke1 · · Score: 5, Informative

    Until this comes out, PGP is a great way to keep your email private and secure. It also deals with forged headers using email signing. MIT has a great client here

    --
    "Men lie."
    "Yeah, about sleeping with other women, but never about bioluminescent plankton."
    -Dan Brown
    1. Re:PGP by rtnz · · Score: 5, Informative

      I would suggest GnuPG, free as in free.

      GnuPG

  2. I thought by Enrico+Pulatzo · · Score: 2, Informative

    that Public Key Encryption was the answer to email woes. PK just needs to be adopted across the board.

    I thought about writing more, but I really don't see the need to.

    1. Re:I thought by axxackall · · Score: 2, Informative
      I absolutely support that PK is the way to protect email. However, the trick is in infrastrucure, PKI.

      What is the % of email users receives their MUA (email clients) with PKI support? Is there any PKI support in Yahoo and Hotmail free email hosting systems? How about AOL, Earthlink and other ISPs?

      OK, my friends have god Evolution and Outlook, both with PKI support. Is it right that they can sign email and read it? No problems between proprietary and open standards?

      Finally, what CA can they use? How easy is it? Is it free?

      And don't forget: do all (or most of) email users know what is PKI and why they need it?

      Persoanlly I use GPG. But I see (and experience!) lots of problems with PKI and with other users because of most questions above have not-so promising answers.

      --

      Less is more !
  3. Site Quote by Anonymous Coward · · Score: 3, Informative

    PFIR - People For Internet Responsibility
    TRIPOLI Project Press Release
    May 8, 2003

    PFIR Home Page

    PFIR Announces the "TRIPOLI" Project

    A Call to Arms to the Internet and Open-Source Communities!
    It's Time to Secure E-Mail, Control Spam, and Empower E-Mail Users!

    People For Internet Responsibility (PFIR) co-founders Lauren Weinstein and Peter G. Neumann today called on the Internet and Open-Source Communities to consider a proposal for the most significant and far-reaching changes to e-mail systems since the creation of the Internet and its ancestor ARPANET more than 30 years ago.

    PFIR today released a white paper describing a proposed project to consider the implementation and deployment of widespread encryption, authentication, anti-spam, and other advances directly into the fundamental structure of Internet, intranet, and local e-mail systems.

    The "TRIPOLI" project overview paper located at:

    http://www.pfir.org/tripoli-overview

    describes the proposed new environment which focuses on ensuring that choices and power regarding e-mail are vested directly with e-mail users themselves, rather than with Internet Service Providers (ISPs) or government agencies.

    The changes described by the TRIPOLI proposal could be gradually implemented, largely based upon open-source software tools that already exist. Ultimately under TRIPOLI, the volumes of forgeries and spam (both received by users and traversing the Internet) would be drastically reduced, by default all e-mail would be encrypted, and e-mail users would have essentially complete control over how they individually choose to send and receive e-mail.

    "Current e-mail systems were not designed to deal with the kind of world we have today -- they've become a hopeless nightmare for users and ISPs alike," said Weinstein. "E-mail users are inundated with spam, forged mail, and other garbage, and unfortunately the actions many ISPs are taking to try control spam and other e-mail are shackling their honest customers with unreasonable restrictions and making matters even worse. Some of the proposed anti-spam laws may also exacerbate these problems without really controlling spam at all. Legitimate e-mail users need to be put back in the driver's seat, and there isn't a moment to lose."

    "These problems are getting more severe every day," said Neumann. "Not only are users and networks drowning under spam and other e-mail deficiencies, but basic matters of security and reliability on the Internet are being largely ignored under the current intolerable situation. These critical problems simply cannot be fixed without coordinated and major changes to the way e-mail is handled throughout the Internet. It's going to be a big job, but we have to get going on this right now."

    PFIR hopes that the TRIPOLI proposal can act as a starting point for discussion and implementation of systems to solve the many e-mail problems that exist today, in a manner that empowers users rather than unfairly restricting them. PFIR invites the participation of the open-source and Internet communities at large towards these crucial goals.

    Persons interested in participating or getting more information about the TRIPOLI project can send e-mail to:

    tripoli-info@pfir.org

    or use the contacts listed below.

    - - -

    CONTACTS:

    Lauren Weinstein
    lauren@pfir.org
    Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
    Moderator, PRIVACY Forum - http://www.vortex.com
    Member, ACM Committee on Computers and Public Policy
    http://www.pfir.org/lauren

    Peter G. Neumann
    neuma

  4. Posted Article by DarkBlackFox · · Score: 1, Informative

    In case of slashdotting, the text of the article reads:

    People For Internet Responsibility (PFIR) co-founders Lauren Weinstein and Peter G. Neumann today called on the Internet and Open-Source Communities to consider a proposal for the most significant and far-reaching changes to e-mail systems since the creation of the Internet and its ancestor ARPANET more than 30 years ago.
    PFIR today released a white paper describing a proposed project to consider the implementation and deployment of widespread encryption, authentication, anti-spam, and other advances directly into the fundamental structure of Internet, intranet, and local e-mail systems.

    The "TRIPOLI" project overview paper located at:

    http://www.pfir.org/tripoli-overview

    describes the proposed new environment which focuses on ensuring that choices and power regarding e-mail are vested directly with e-mail users themselves, rather than with Internet Service Providers (ISPs) or government agencies.

    The changes described by the TRIPOLI proposal could be gradually implemented, largely based upon open-source software tools that already exist. Ultimately under TRIPOLI, the volumes of forgeries and spam (both received by users and traversing the Internet) would be drastically reduced, by default all e-mail would be encrypted, and e-mail users would have essentially complete control over how they individually choose to send and receive e-mail.

    "Current e-mail systems were not designed to deal with the kind of world we have today -- they've become a hopeless nightmare for users and ISPs alike," said Weinstein. "E-mail users are inundated with spam, forged mail, and other garbage, and unfortunately the actions many ISPs are taking to try control spam and other e-mail are shackling their honest customers with unreasonable restrictions and making matters even worse. Some of the proposed anti-spam laws may also exacerbate these problems without really controlling spam at all. Legitimate e-mail users need to be put back in the driver's seat, and there isn't a moment to lose."

    "These problems are getting more severe every day," said Neumann. "Not only are users and networks drowning under spam and other e-mail deficiencies, but basic matters of security and reliability on the Internet are being largely ignored under the current intolerable situation. These critical problems simply cannot be fixed without coordinated and major changes to the way e-mail is handled throughout the Internet. It's going to be a big job, but we have to get going on this right now."

    PFIR hopes that the TRIPOLI proposal can act as a starting point for discussion and implementation of systems to solve the many e-mail problems that exist today, in a manner that empowers users rather than unfairly restricting them. PFIR invites the participation of the open-source and Internet communities at large towards these crucial goals.

    Persons interested in participating or getting more information about the TRIPOLI project can send e-mail to:

    tripoli-info@pfir.org

  5. Re:It's called "IMAP" by conteXXt · · Score: 2, Informative

    I don't think they are discussing the mailbox protocols here.

    I think it's the transports (MTA I believe, think MX records)

    --
    The truth about Led Zep should never be told on /. (Karma suicide ensues)
  6. Get it right the first time.. by KD7JZ · · Score: 2, Informative

    Problems like the current state of e-mail always
    inspire me to consider the need to do things
    right the first time. There are many good systems
    that grow organically and work well but at some
    point it is realized that there are major holes.
    At that point the installed base is too big...

  7. Re:Whoa, boys.. by DeltaSigma · · Score: 2, Informative

    That was really funny until I finally found out that Gore never said he created the internet, but rather suggested that many topics he tackled in politics directly benefitted the widespread adoption of the internet during its earlier stages of growth.

  8. The Simple Solution... by radulovich · · Score: 3, Informative

    Is not to reinvent the protocol. Spammers will disappear if nobody reads their spam (because it will be too ineffective, even at a cheap price).

    The better solution is simple - let me rate the"trustworthiness" of the sender who sends me email and sort it appropriately. I can add all my family and friends to the "explicitly trusted" list. Then, the server can allow for an option such as "possibly trusted", which might include all emails from the same domain I'm in, or from domains I specify (e.g. *@mit.edu).

    All other email will be tagged as "untrusted". Now, I can set my email browser to color code them, simply ignore them, or set a rule for each category. Yahoo! already does this, showing a smiley face with the emails that come from people in my address book

    This can be done simply, and without rewriting any protocols. Beware people who want to reinvent the wheel to gain profit when there is no need. "Pit certification" is unnecessary, and too costly.

    -Mark Radulovich, CISSP

  9. Re:Too many goals by Anonymous Coward · · Score: 2, Informative
    What's wrong with just providing encryption, without any of the additional burdens of establishing identity?

    you mean apart from the fact that it doesn't buy you anything? if you don't know whose key you're encrypting a message for, it may turn out to be exactly the person you wanted to keep it secret from. conversely, if you aren't sure who sent that mail that purports to have come from Foo Barfly, the fact it was encrypted for your public key is no guarantee of anything useful.

    your "virtual receptionist" idea is one way to establish an identity-of-sorts. it establishes that (1) your return address is valid; and (2) there's someone or something paying attention to return mail. if you design the challenge such that machines can't autorespond to it, then your system can further establish it's a someone, not just a something. you're still not sure, of course, that it's the right someone, but you're on your way to establishing a little bit of trust, because your system is telling you something useful about the other party.

    all that SSL CAs and/or the PGP web of trust do above this is try to ensure it's the same one entity you speak with every time you send mail to that given address, and try to provide some sort of "official" name or label to identify said entity. as you found out, those things turn out to be a lot more difficult and expensive than most people think. whether you're willing to do without them is up to you.

  10. Re:Yeah, Right by Anonymous Coward · · Score: 1, Informative

    IPV6 is probably not a particularly good example. I, as a sysadmin for an ISP, cannot deploy IPV6 until a workable solution for multihoming appears. Since I don't qualify for the draconian requirements for provider independent address space in IPV6, I cannot multihome (under current technology) which means I cannot provide the same level of reliability which I am currently able to provide on IPV4. This is probably the reason a large chunk of the established world has not even started to switch.

    "Tripoli", however, does not have that issue. It can be run in parallel over existing network infrastructure without requiring large technological investments by companies wishing to support it. (Once any necessary software exists.)