Re: [Asrg] 6. Email Path Verification
2003-09-10 08:06:28
Well, some questions...
If I understood from 3, sender MAA shall store some data from each
message in order to authenticate the message when the recipient
MUA/MAA ask for it. This shall be done for a period of probably 5 days
plus some epsilon. So you shall imagine that at some moment, ALL the
messages stored in mailqueues over all internet will correspond some
authentication data stored somewhere in some MAA.
As we have some kind of variable data to be stored, maybe this may led
to some possible way to do a DoS attack if someone can fill up sender
MAA capacity.
The MAA has to authenticate the sender before it will consent to sign a
message. Therefore, it's reasonable to say that it's up to the MAA to
perform resource checking - it can implement quotas on the sender's
account and return a Temporary Failure. I don't think a DoS risk is
inherent in this part of the design.
The only state the recipient MAA has to store is a cache of public
signature-verification keys, a resource that can be expired on an LRU
or LFUDA basis and limited to a given amount of disk space. Of course,
such expiry can cause extra network traffic to other MAAs, but even
that is unlikely to trigger a robustly-implemented MAA into an
inadvertent DoS.
Also, as this will be a very living database, it will be difficult to
assure redondance or distribute the database or recovery when some
sender MAA fails. I think this may led to some very complex database
problems to solve.
If an MAA goes down, the recipient's MAA will say "temporary failure",
probably causing the MUA to try again later. If an MAA's database gets
corrupted, the recipient's MAA will say (at worst) "signature invalid".
Finally, I don't know all that much about databases, but I don't think
it's too much of a problem to propagate signatures to a back-end
database which can be queried by multiple MAA servers.
Is it realistic to limit the number of messages each one may send each
day ?
Again, this is up to the sender's MAA. A limit should be quite easy to
select, in practice, because it can simultaneously be high enough to
avoid interaction with 99.9% of legitimate users, low enough to curtail
a spammer's activities, and the remaining 0.1% of legit users can be
contacted and asked "are you sure?".
Remember, a typical legitimate user might send tens of messages a day,
whereas a spammer or mass-mailing worm wants to send millions. Mailing
lists are a special case, but these aren't terribly hard to account for.
Ultimately, the quality of the MAA's policy will be judged by it's
users and by the trust directory. I reckon market forces will be
sufficient to keep them in line, though a BCP document can be helpful.
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website: http://www.chromatix.uklinux.net/
tagline: The key to knowledge is not to rely on people to teach you it.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|