On Thursday, April 03, 2003 3:42 PM, J C Lawrence
[SMTP:claw(_at_)kanga(_dot_)nu] wrote:
8<...>8
My concern there is distribution of the secret. There's relatively
little value in cacheing the value of an authenticity check. Its not
something that a given site tends to repeat. However repetitive checks
of *different* messages from the same MTA will be common, each one
hammering the possessor of the secret.
I think he means caching of the public-key, so recieving MTAs can do quick
checks of MTAs in the fowarding path. I don't think you want anybody handing
out secrets, but handing a public key out, via DNS, that can be cached by
recievers seems like a prudent idea. I do note your concerns on DNS server
load however, that could be an issue. DNS servers do however handle a lot of
queries anyway though it should be noted as a security concern.
e.g., MTAs: O=originator, R=reciver; DNS: DOP=originator public-key RR,
DRR=reciever porkhasher plug-in DO=originator DNS server
O ehlo, etc...DATA >> R
O << end with '.' R
O headers >> R
latest header >> read O[x] porkhash >> DRR query DOP >> DO
DRR << DOP DO
DOP cached TTL n
:repeat for each header 0[x++]
...perform porkhashing checks
...return result, for each O[x]
0 << status (acc,rjt,...) R
end session
When new mail arrives from same O[x] before expiration of n, then
use the cached DOP for 'O[x]' porkhash checks.
A system which doesn't require either distribution of the secret, or
ready access to the secret by uninvolved parties would seem better.
Only the MTA needing to know the public-key would be involved and only
(concerning cache persistency here) query again if necessary.
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg