ietf-822
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sender authentication?

2004-02-09 04:26:53
from [Charles Lindsey] [Permanent Link] 

In <20040208231024(_dot_)11203(_dot_)6(_at_)llama(_dot_)ing-simmons(_dot_)net> 
Nick Ing-Simmons <nick(_at_)ing-simmons(_dot_)net> writes:


I hope this isn't re-hashing old ground but an idea has occured to me
that would, I think, help with the current deluge of mail from worms that 
forge From: addresses.



The idea is to "sign" the From: and Message-ID: pair using 
a public key scheme, and add the signature as a new header.


Yes, it can be done, and indeed it has been done and is in regular use for
signing Control Messages on Usenet, and less regularly so for signing
moderated articles.

The bad news is that the protocols for the two purposes are different and
incompatible and suffer from various limitations which make them
unsuitable for general use.

1: PGPVerify is used for signing control messages. The signature header
includes a list of the other headers included within the signature. Its
canonicalization is minimal (e.g. doesn't understand folding).

2: PGPMoose is used for signing moderated articles. The list of headers
included within the signature is fixed and non-configurable. Its
canonicalization is a little better.

Both of the above suffer from the disadvantage that they also include the
whole of the article body within the signature. That should have been a
configurable option IMHO (so, for example, changes of CTE en route would
break it, though that is also true of PGP-Mime).

3. www.landfield.com/usefor/drafts/draft-lindsey-usefor-signed-01.txt.
This is unfinished work intended to overcome the problems identified
above. Its most notable feature is an exceedingly comprehensive
canonicalization scheme. Probably too comprehensive in some ways and
insufficiently comprehensive in others. I would probably do it differently
if doing it again. Not implemented, except for on a demonstration basis in
Perl.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, 
CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Sender authentication?, Andrzej Filip
Next by Date:  Re: Revisiting RFC 2822 grammar (obs-utext and unstructured), Charles Lindsey
Previous by Thread:  Re: Sender authentication?, Bruce Lilly
Next by Thread:  Re: Sender authentication?, Bruce Lilly
Indexes:  [Date] [Thread] [Top] [All Lists]