At 9:16 AM -0500 3/11/03, Jacqui Caren wrote:
I did not even consider the need for background checks etc - even though
many people I know do at least credit checks before accepting a customer
- in the UK the number of cases discussed where prospects are actually
broke at the point of contract is getting scary!
Perhaps I should stick to lurking :-)
I wouldn't go that far. Let's backup a moment and ask what level of
certification we are looking for.
Current web site certificates are (moderately) expensive because
their point is to ensure not only that your domain is secure, but
that it belongs to the company you claim it belongs too. As has been
pointed out on this list, $99 US (that's what I pay for certs
semi-wholesale right now, want to buy one? :-) is not enough to
ensure that. Practically speaking an SSL certificate is probably an
assurance that the site you are connecting to is managed by the owner
of the domain, but not much more. And besides, nobody looks at the
cert info to see if the company information corresponds anyway.
In the email space we have seen several types of authentication
discussed. I may have the details wrong here as I haven't had time
to do more than skim the domain proposals.
1. Domain
Determines that a user is allowed to send email from a domain. This
assumes that the domain itself has determined the user to be valid
(which may or may not be a valid assumption). This can be done
non-cryptographically (comparing the sending IP to a convention for
DNS lookup) or cryptographically (comparing a token in the
message/transport to something you lookup somewhere).
2. Sender (sometimes envelope-from, sometimes From header)
This determines that the sender is who they say they are.
Non-cryptographic methods simply check to see if the account exists,
which really doesn't protect against forgery, just (possibly) keeps
out fake addresses. They can't check against the sending IP since
mail senders are not always mail receivers. Cryptographic methods
ensure that the sender is actually the owner of the email address via
some server lookup.
I don't see that domain authentication requires externally provided
certificates. Insofar as the check is done using the DNS system,
that provides some degree of assurance (modulo cache poisoning). All
that's needed is a simple way of generating public/private keys. Of
course you could have external authorities if people wanted to
certify the behavior of the sender. That would enable you to not
only know what domain truly sent it--but whether you thought you
could trust them to be good.
Sender authentication *does* need a central authority. However there
are three levels at which it could be done.
1. The sending domain could be the authority.
In other words, just as with domain authentication we trusted the
domain to only allow valid from addresses, we could also use the
sending domain to authenticate the sending key. It's a weak level of
trust, but as good as the domain authentication. It does require
more infrastructure on the part of sending domain.
2. The central authority could be automated.
In this model we are ensuring only that the sending person is in fact
the owner of the email address. This is the old First Virtual model
of authentication. It's primary vulnerability is at the mail server,
and from viruses. But all in all it's a pretty good model. In
particular, it can be run very cheaply. You send a request for
certificate, you get back a receipt, you forward the receipt, you get
the certificate. (And somewhere in there you pay $5 or whatever.)
The interface could easily be managed by plugins to existing MUAs.
3. The central authority could actually guarantee you are who you say you are.
This is the expensive case. But it's not clear to me that it is
truly necessary. It's also not clear to me that there is anyone I
would trust to run it. I've bypassed Network Solutions' "you must
provide proof" mechanisms so many times that I just don't believe
anyone would run this one safely. Maybe the government could do it,
but only because they have enough offices that people could show up
in person with a passport and birth certificate and a print out of
the confirming email.
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg