ietf-asrg
[Top] [All Lists]

RE: [Asrg] How to defeat spam that uses encryption?

2003-04-01 11:08:16
On Tuesday, April 01, 2003 11:56 AM, Chuq Von Rospach 
[SMTP:chuqui(_at_)plaidworks(_dot_)com] wrote:

On Tuesday, April 1, 2003, at 05:31  AM, william(_at_)elan(_dot_)net wrote:

There is nothing stopping spammers from generating new keys and
certificates
for their mail servers, so we can have servers exchange certs, but
really
not authentication there as far as who is who.

as a friend of mine who's a computer security expert keeps reminding
me, authentication is not authorization. The fact that someone can get
authenticated doesn't say anything about what that person can (or
should) be able to do. It merely means you have some idea who that
person is supposed to be.

As a security expert I would have to insert that authentication is a key 
element in making an authorization determination.  So it is the first step in 
determining what someone can do. In this case whether the entity may forward a 
message to a particular address/recipient/domain.  Without adequate knowledge 
or assurance that an entity is 'who' it say's it is then authorization is not 
effective.  I don't think that is an argument against authentication but rather 
the authorization must follow (and I think was implicit in the statement, 
though the thought could be inferred).

It doesn't matter how good the authentication scheme is if there's no
way to turn that into  what a person is authorized to do. That's a key
problem with certs and many authentication schemes. Given how easy it
is to get or generate certs, and given that even if you authenticate
sites and can blacklist certs that spam, if certs are effectively
throwaway tools for spammers, what good does blacklisting a cert do?

No, I don't agree.  The cert (throw-away or not) in the example are not 
'granted' by un-trusted or unknown certifiers and in that case the objective 
identification of a sending host should contain (given a proper vetting 
standard) information that can be used for the authorization step.

authenticating a stranger doesn't buy you anything, because you still
don't know what permissions you can trust that stranger with.
authentication is mostly of advantage for whitelisting operations and
clearing stuff out of the way that you know you don't have to look at,
at least until someone grabs someone else's cert...

But it does buy you the fact that you know "they are who they say they are", in 
this example through some objective third party, then what you want to allow 
them to do is up to you, you can't depend on the 'stranger' to tell you what 
they are authorized to do.

-e

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg