ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] porkhash: flexible anti-impersonation mail signatures

2003-04-03 16:07:12
from [Eric D. Williams] [Permanent Link] 
On Thursday, April 03, 2003 3:42 PM, J C Lawrence 
[SMTP:claw(_at_)kanga(_dot_)nu] wrote:
8<...>8

My concern there is distribution of the secret.  There's relatively
little value in cacheing the value of an authenticity check.  Its not
something that a given site tends to repeat.  However repetitive checks
of *different* messages from the same MTA will be common, each one
hammering the possessor of the secret.


I think he means caching of the public-key, so recieving MTAs can do quick 
checks of MTAs in the fowarding path.  I don't think you want anybody handing 
out secrets, but handing a public key out, via DNS, that can be cached by 
recievers seems like a prudent idea.  I do note your concerns on DNS server 
load however, that could be an issue.  DNS servers do however handle a lot of 
queries anyway though it should be noted as a security concern.

e.g., MTAs: O=originator, R=reciver; DNS: DOP=originator public-key RR, 
DRR=reciever porkhasher plug-in DO=originator DNS server

O ehlo, etc...DATA  >> R
O << end with '.'      R
O headers           >> R
latest header  >> read O[x] porkhash >>  DRR   query DOP >> DO
                                      DRR << DOP         DO
                                        DOP cached TTL n
:repeat for each header 0[x++]
...perform porkhashing checks
...return result, for each O[x]
0 << status (acc,rjt,...) R
end session

When new mail arrives from same O[x] before expiration of n, then
use the cached DOP for 'O[x]' porkhash checks.


A system which doesn't require either distribution of the secret, or
ready access to the secret by uninvolved parties would seem better.


Only the MTA needing to know the public-key would be involved and only 
(concerning cache persistency here) query again if necessary.


--
J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu               He lived as a devil, eh?               
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] "ham" <i>is</i> ridiculous, Kee Hinckley
Next by Date:  Re: [Asrg] define spam, Chuq Von Rospach
Previous by Thread:  Classification of solutions and which ones do real-time check (was Re: [Asrg] porkhash: flexible anti-impersonation mail signatures), william
Next by Thread:  Re: [Asrg] porkhash: flexible anti-impersonation mail signatures, J C Lawrence
Indexes:  [Date] [Thread] [Top] [All Lists]