Xref: utzoo comp.protocols.tcp-ip:14812 comp.mail.uucp:5856 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!stan!imp From: imp@Solbourne.COM (Warner Losh) Newsgroups: comp.protocols.tcp-ip,comp.mail.uucp Subject: Re: Are There Standards For Secure Mail Transfer Via SMTP? Message-ID: <1991Feb8.180500.11290@Solbourne.COM> Date: 8 Feb 91 18:05:00 GMT References: <38975@cup.portal.com> <1991Feb8.110317.3949@unipalm.uucp> Organization: Solbourne Computer, Inc., Longmont, CO Lines: 35 Will@cup.portal.com (Will E Estes) writes: >Can someone briefly discuss any standards that might exist, or be >in the process of development, for the sending of secure mail via >SMTP or via the Internet. Also, are there any relevant RFCs on >this topic? There are a couple of RFC's (1113, 1114, 1115) on something called "Privacy enhancment for Internet electronic mail", which is mail that has been encrypted. There are some provisions for authenticating the sending user, but they are "weak". While there is an account called "root" with all the privs that it has, there will be no way to have "totally secure, authenticated mail". After all, if I wanted to send mail from Joe Hothead to his boss calling him a jerk, then I could su, then su jhothed and flame away. And it could be done w/o a way to trace it back it me (after all, root can nuke accounting files). User authentication is a difficult problem to solve completely. Also, while there are sites on the Internet with older mailers (and can't be upgraded to the latest sendmail since they aren't running Unix), there will be a problem with mailer spoofing. Even with the latest sendmail, I could send mail to Joe's boss as Joe w/o any privs. Or, in other words, you can't trust your mail 100%, since it is relatively easy to forge. However, I encourage all reasonable steps that can be taken to authenticate a connection. There are many hueristics that can be used to detect clumsy forgeries. Warner -- Warner Losh imp@Solbourne.COM We sing about Beauty and we sing about Truth at $10,000 a show.