Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!sun-barr!rutgers!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Authenticated SMTP, anyone done one?
Message-ID: <5369.Jun1503.41.5891@kramden.acf.nyu.edu>
Date: 15 Jun 91 03:41:58 GMT
References: <1991Jun3.163841.4114@bwdls61.bnr.ca> <17169:Jun1122:04:5791@kramden.acf.nyu.edu> <43225@cup.portal.com>
Organization: IR
Lines: 24

In article <43225@cup.portal.com> Will@cup.portal.com (Will E Estes) writes:
> <RFC 931 can be used over any part of the Internet. In fact, it's the
> <only working freely available wide-area TCP authentication code I know
> <of. If you do want to restrict access to the local net or to
> <authenticated connections, you can use my attachport (comp.sources.unix
> <volume 22) or shuctld (coming very soon to a source group near you).
> Then what is the purpose of RFCs 1113, 1114, and 1115 on Privacy
> Enhanced Mail (PEM)?

PEM is not, and for the next several years will not be, a freely
available system. It also is not a link-level SMTP authentication
protocol, as the original poster was asking for; it is an end-to-end
privacy protocol. However wondeful PEM might be, it is not available
now, in a form that works on most machines on the Internet. RFC 931 is,
in a tiny package with every compile/install step completely automated.

Basically, you can put RFC 931 on a BSD mail server now. For free. If
you apply the sendmail patch, every mail message coming through the
system will be marked with a username with at least as much security as
the IP address in every packet. Your users won't notice the change, but
you'll suddenly be able to trace forgeries much more easily---or you can
just chop all forgeries tomorrow morning. None of this is true of PEM.

---Dan