Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site hou3c.UUCP
Path: utzoo!watmath!clyde!burl!hou3c!Ellis@YALE.ARPA
From: Ellis@YALE.ARPA (John R Ellis)
Newsgroups: net.mail.headers
Subject: Re:  user-editable mail headers
Message-ID: <8408191851.AA10995@YALE-BULLDOG.YALE.ARPA>
Date: Sun, 19-Aug-84 14:37:02 EDT
Article-I.D.: hou3c.765
Posted: Sun Aug 19 14:37:02 1984
Date-Received: Tue, 21-Aug-84 00:36:53 EDT
Sender: ka@hou3c.UUCP (Kenneth Almquist)
Lines: 29
To: Mark Crispin 
Cc: steve@BRL-BMD.ARPA, header-people@MIT-MC.ARPA
In-Reply-To: Mark Crispin , Sun 19 Aug 84 10:46:52-PDT


    Personally, I believe that security against forged mail is a fantasy.
    The best you can do is validate that a message clearly came from such-
    and-such a host, or for locally-originated mail, that a message was
    composed by a certain user.

It's quite easy to do much better than this for local networks, using
standard operating systems like TOPS-20 and Unix.  At Yale, our Chaosnet
implementation provides a server with the user id and host of the program
at the other end of the connection.  The operating systems provide this
information; user-state programs cannot forge it.  (It isn't hard to modify
TOPS-20 and Unix implementations of Chaosnet to provide this capability.)
Thus our mail system knows reliably who sent local-network mail.

Of course, if someone broke into the operating systems, they could forge
the mail.  So what?  Computer people often talk about "security" as if
it were an all-or-nothing proposition.  But as in the physical world,
there are varying degrees of computer security, depending on how much
the security is worth to you.  Show me a particular computer security
method, and I'll show you a (possibly very expensive) way to circumvent
it (including non-electronic methods).

Just as most of us prefer moderately secure locks on the doors of our
homes in preference to no locks at all, most computer users would prefer
protection against easy forgery rather than no protection at all.  I was
once told the government's sensible definition of security:  Make it more
expensive for the spies to break security of your particular system than
it would cost them to achieve their goals by some other means.
-------