ietf-asrg
[Top] [All Lists]

Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys"

2003-12-07 16:09:30
Alan,

At 07:26 AM 12/7/2003, Alan DeKok wrote:
<...>


  If DK means that each sender signs the message, then you have two
choices.  One is to have a domain-wide private key, in which case it
must change regularly, as spammers will quickly obtain it.

I don't know why you would assume this.

The second
is to have per-user private keys, in which case DNS lookups have to be
done to get the key for each user, which is problematic.

A big problem with per-user private keys is that these
private keys are vulnerable when user machines are infected with
viruses.  I don't expect the mail operator's machines to be so
vulnerable.  Also, past experience has shown that most users hate
to use cryptographic technologies for email or anything else when
they have a choice.

(Why not
just then have every domain put user authentication information in
DNS, and have every recipient MTA do SMTP AUTH?  It's entirely
equivalent, and doesn't require much in the way of user-agent
changes.)

This sounds like a very good approach from MTA(s)->MTA(r), but
what about the case of MTA(s)->MTA(i)->MTA(r), which is a rare
case that nonetheless needs to be supported?

Mark


  I don't think the second option is useful.

  The first option means that not only do we have to update each user
agent to sign the keys (updating millions of clients is a difficult
problem, even for AOL), but we also have to distribute new keys every
so often.  This will be a signficant ongoing maintenance cost.  The
key distribution will be problematic (what if you've been off-line for
a week?)...

  In contrast, LMAP has a small additional cost when a new MTA for a
domain is configured, or when MTA's change IP address.  It has no
continual maintenace required, like DK does.  I'd be *very* surprised
if DK had a lower ongoing maintenance cost than LMAP.

  Further, if the user agents sign the messages, then we can be pretty
much guaranteed that spammers will have, and abuse, the keys in
seconds.  Spammers already maintain distributed databases of open
proxies.  Distributing new keys for a domain is no more expensive.

  So the system has signficant cost to deploy, and will do *nothing*
to prevent spammers from sending messages, even forged messages from
"owned" machines, or open proxies/relays, like they do today.

  While LMAP also permits spammers to continue to send spam "from" a
domain, they can do so only under two conditions.  One is with the
agreement of the domain owner (who lets roaming users forge, too.).
The second is if they "own" machines in a domain, and abuse those to
send spam.

  The first scenario doesn't interest me.  The second is more useful.
It means that spammers can continue forging ONLY if they engage in
behaviour which is criminal in many jurisdictions.  So LMAP leverages
additional anti-spam resources, making it more effective than it would
have been on it's own.

  Alan DeKok.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg