[gnso-rds-pdp-wg] On some security claims (was Re: Apologies, and some reflections on requirements)

Andrew Sullivan ajs at anvilwalrusden.com
Mon Jul 4 16:00:31 UTC 2016 

Hi,

Responding to two messages at once.  I think there are some technical
misconceptions in the messages from Catalyst-Vaibhav Aggarwal.  We
won't get anywhere if we proceed by believing false things about how
the Internet works.

On Mon, Jul 04, 2016 at 03:19:53PM +0530, Catalyst-Vaibhav Aggarwal wrote:

> And any such suggestion can easily be implemented with the Automation of
> the entire Verification process. For Eg. Gmail has a two Step
> Authentication - One on the Password and the other on the Phone Number of
> the User.

Actually, no.  What Google two-step authentication does is bind a
login to both a password and some other communication factor.  It does
not actually tell you who is at the other end, and can't.  There is a
serious and important difference for our purposes between
authenticating that the same indvidual is undertaking two different
actions, and identifying who that individual is when (e.g.) wandering
around in the street.

> This is a issue regaining the safety of me, my family

Can you say more about how you think registration of domain names in
the global DNS could (even a little bit) affect the safety of you or
your family?  In particular,

> or anybody will be willing to compromise. And the Lives being lost and the

could you say some more about how you think anyone's life hangs in the
balance due to registration of domain names?

Also,

On Mon, Jul 04, 2016 at 04:28:29PM +0530, Catalyst-Vaibhav Aggarwal wrote:

> As far as Security for the Email Addresses is concerned, every email server
> has a built in SMTP verification mechanism that either can be switched on or
> Off as per the need may be -  Most servers or Service providers don’t switch
> it on as there is a cost added to their overall Network Management or
> Infrastructure. BUT Gmail has implemented it. That is why we are able to see
> Classification of Mails in our mail boxes.

I would appreciate a pointer to the documentation of this SMTP
verification mechanism of which you speak.  I'm reasonably familiar
with the SMTP specifications, and I'm not really sure what feature
you're talking about.  If you mean the SMTP VRFY verb, I don't think
it does what you think it does, and it has been widely regarded as a
spam-promoting feature since at least 1999.  It is certainly not the
basis for Google's classification of your email, which (depending on
how you use it) depends on them reading either your headers or your
mail bodies to classify it for you.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the gnso-rds-pdp-wg mailing list