Philip Miller <millenix(_at_)zemos(_dot_)net> wrote:
DK advantages: prevents forgery in forwarded situations, such as if a
mailing list owner inserts a forged message on the list.
DK disadvantages: high burden of software implementation, requires receipt
of DATA before an authoritative check can be done
It has other issues.
If the outgoing MTA signs the packets, then all users for that
domain are required to send mail through machines administered in the
same domain. i.e. no roaming users being "lazy", and just sending
mail directly to the recipient.
All of the objections to LMAP about this problem then apply to DK.
Even worse, LMAP allows the domain owner to permit roaming users to
continue their existing behaviour. Having the domain owner force
users to send mail through the domain's MTA is an *option* in LMAP.
So LMAP gives the users and domain owners more options than DK.
If DK means that each sender signs the message, then you have two
choices. One is to have a domain-wide private key, in which case it
must change regularly, as spammers will quickly obtain it. The second
is to have per-user private keys, in which case DNS lookups have to be
done to get the key for each user, which is problematic. (Why not
just then have every domain put user authentication information in
DNS, and have every recipient MTA do SMTP AUTH? It's entirely
equivalent, and doesn't require much in the way of user-agent
changes.)
I don't think the second option is useful.
The first option means that not only do we have to update each user
agent to sign the keys (updating millions of clients is a difficult
problem, even for AOL), but we also have to distribute new keys every
so often. This will be a signficant ongoing maintenance cost. The
key distribution will be problematic (what if you've been off-line for
a week?)...
In contrast, LMAP has a small additional cost when a new MTA for a
domain is configured, or when MTA's change IP address. It has no
continual maintenace required, like DK does. I'd be *very* surprised
if DK had a lower ongoing maintenance cost than LMAP.
Further, if the user agents sign the messages, then we can be pretty
much guaranteed that spammers will have, and abuse, the keys in
seconds. Spammers already maintain distributed databases of open
proxies. Distributing new keys for a domain is no more expensive.
So the system has signficant cost to deploy, and will do *nothing*
to prevent spammers from sending messages, even forged messages from
"owned" machines, or open proxies/relays, like they do today.
While LMAP also permits spammers to continue to send spam "from" a
domain, they can do so only under two conditions. One is with the
agreement of the domain owner (who lets roaming users forge, too.).
The second is if they "own" machines in a domain, and abuse those to
send spam.
The first scenario doesn't interest me. The second is more useful.
It means that spammers can continue forging ONLY if they engage in
behaviour which is criminal in many jurisdictions. So LMAP leverages
additional anti-spam resources, making it more effective than it would
have been on it's own.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg