Slashdot Mirror

← Back to Stories (view on slashdot.org)

AMTP as an Alternative to SMTP

Posted by michael on from the bad-ideas dept.

SamMichaels writes "AMTP was published as an Internet Draft last week. It suggests using a 'Mail Policy Code' during the transaction to identify what kind of mail is being sent (administrative, personal, commercial, etc). Another plus is the use of TLS using x.509 certificates signed by a CA so you know exactly where the mail came from. Sounds like a solid plan...now to get a certificate signed for a decent price is the challenge."

5 of 328 comments (clear)

  1. Its a good idea by blaster · · Score: 5, Insightful

    But in general end to end security models like this have had trouble because it has not been possible to get central signing in a way that can be administrated cheaply enough to allow wide deployment. I fear that this will fester in the same acceptance purgatory as DNSSEC, for roughly the same reasons

    1. Re:Its a good idea by AftanGustur · · Score: 5, Insightful


      But in general end to end security models like this have had trouble because it has not been possible to get central signing in a way that can be administrated cheaply enough to allow wide deployment.


      If the state is serious enough about this problem (and they will, one day) they will manage and issue certificates for whoever wants one.

      It shouldn't have to cost more to manage a certificate than it costs to manage a credid card account .. Even less, since once the issuer has issued the certificate, he doesn't have to protect any part of it himself.

      --
      echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  2. No protection against viruses by Anonymous Coward · · Score: 5, Insightful

    Now, viruses browse your contact list and send a message to everyone in the list. If this breaks through, the viruses will browse your contact list, and send a message to everyone in the list using the key, something which Outlook will probably do automatically.

    Oh, yes, there is one difference. The CA will get lots of profit for selling certificates.

  3. Re:Why should we pay CA? by Anonymous Coward · · Score: 5, Insightful

    A new 4 point plan for SPAM:

    1. Hijack domain
    2. Get CA to issue cert
    3. Spam (or ?????)
    4. Profit???

    People who routinely hijack entire netblocks to send SPAM are not going to be bothered by providing fraudulent credentials to a CA.

  4. What about bankruptcies? by taliver · · Score: 5, Insightful

    I'm company A.com, and I buy a certificate (or get one for free from some free-sign authority). I use it completely legitamately. Only for receipts to paying customers, and to deliver "timely updates" for their software or whatever.

    Now I fall on hard times. And go broke.

    In the liquidation proceedings, a spammer swoops down and buys my certificate. It's a valued commodity to him, and the courts, I don't believe, are not going to care about the nefarious purposes he may have in mind.

    But now lots of people are getting spam in my name.

    So, would the CA have the power to "ungrant" the certificate, and therefore also be able to hold thousands of companies hostage. (Imagine starting as a 'free' service, and then suddenly 'changing your policy'.)

    Or will the clients at the end have to say that certain CA's aren't valid. If so, how is this different form white-list/black-list.

    Now, anything that tries to fight spam I am for. However, I believe the number one thing needed is accountability. If someone sends me mail, I need to be able to reach out and touch them, with a phone number or anything else I feel like. And the latest round of email viruses wouldn't work if I couldn't fake the address it was being sent from.

    --

    I demand a million helicopters and a DOLLAR!