ietf-asrg
[Top] [All Lists]

Re: [Asrg] 6. Email Path Verification

2003-09-10 08:06:28
Well, some questions...

If I understood from 3, sender MAA shall store some data from each message in order to authenticate the message when the recipient MUA/MAA ask for it. This shall be done for a period of probably 5 days plus some epsilon. So you shall imagine that at some moment, ALL the messages stored in mailqueues over all internet will correspond some authentication data stored somewhere in some MAA.

As we have some kind of variable data to be stored, maybe this may led to some possible way to do a DoS attack if someone can fill up sender MAA capacity.

The MAA has to authenticate the sender before it will consent to sign a message. Therefore, it's reasonable to say that it's up to the MAA to perform resource checking - it can implement quotas on the sender's account and return a Temporary Failure. I don't think a DoS risk is inherent in this part of the design.

The only state the recipient MAA has to store is a cache of public signature-verification keys, a resource that can be expired on an LRU or LFUDA basis and limited to a given amount of disk space. Of course, such expiry can cause extra network traffic to other MAAs, but even that is unlikely to trigger a robustly-implemented MAA into an inadvertent DoS.

Also, as this will be a very living database, it will be difficult to assure redondance or distribute the database or recovery when some sender MAA fails. I think this may led to some very complex database problems to solve.

If an MAA goes down, the recipient's MAA will say "temporary failure", probably causing the MUA to try again later. If an MAA's database gets corrupted, the recipient's MAA will say (at worst) "signature invalid". Finally, I don't know all that much about databases, but I don't think it's too much of a problem to propagate signatures to a back-end database which can be queried by multiple MAA servers.

Is it realistic to limit the number of messages each one may send each day ?

Again, this is up to the sender's MAA. A limit should be quite easy to select, in practice, because it can simultaneously be high enough to avoid interaction with 99.9% of legitimate users, low enough to curtail a spammer's activities, and the remaining 0.1% of legit users can be contacted and asked "are you sure?".

Remember, a typical legitimate user might send tens of messages a day, whereas a spammer or mass-mailing worm wants to send millions. Mailing lists are a special case, but these aren't terribly hard to account for.

Ultimately, the quality of the MAA's policy will be judged by it's users and by the trust directory. I reckon market forces will be sufficient to keep them in line, though a BCP document can be helpful.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website:  http://www.chromatix.uklinux.net/
tagline:  The key to knowledge is not to rely on people to teach you it.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg