ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys"

2003-12-09 12:37:35
from [Markus Stumpf] [Permanent Link] 
On Mon, Dec 08, 2003 at 03:35:28PM -0500, Yakov Shafranovich wrote:

The signature attests to the fact that the domain name or server from 
which the message originated, is not forged.


*lol*
I don't see any more security here as with a "paranoid" dns lookup.
If I do a reverse DNS lookup and get a name and do a lookup of the name
and get the IP I can assume#1 that it is correct.
   #1 with drawbacks as to DNS spoofing and DNS security.
Now, if the sending MTA has a signature on the message and I use DNS
to get the public key to verify the signature #1 from above still
applies. So the win for using PKI and not paranoid DNS lookups is zero.

If people don't get simple things right like a correct HELO hosts and DNS
for their mailservers, does anyone seriously believe they will get
PKI working? I surely don't believe that.
On one of our mailservers out of 143013 connections 66619 had
non-matching HELO hosts sent. That's about 47 percent. Any more
questions? Oh, and no, it's not only evil spammers:
  smtp5.wanadoo.fr:193.252.22.26        HELO mwinf0502.wanadoo.fr
  daedalus.apache.org:208.185.179.12    HELO mail.apache.org
  nlpproxy03.prodigy.net.mx:148.235.52.23 HELO smtp.prodigy.net.mx
  sc8-sf-sshgate.sourceforge.net:66.35.250.220 HELO 
sc8-sf-netmisc.sourceforge.net
  mxpool16.ebay.com:66.135.197.22       HELO mx40.sjc.ebay.com
        That's a kewl one: mx40.sjc.ebay.com -> 10.6.182.160
        leaking RFC addresses to the public Internet
  smtp05.web.de:217.72.192.209          HELO smtp.web.de
  datatracker.ietf.org:132.151.6.22     HELO optimus.ietf.org
  pluto3.daimler-benz.com:53.122.2.33   HELO daimler-benz.com

These few "well known names" were taken from a 10 minutes snapshot of the
mailer logfile.

But PKI always sounds kewl and wasn't it a nice press release for Yahoo
that made it all around the world?
Not too bad for some hot air, I'd say.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: 6. Proposals: MTA MARK, Alan DeKok
Next by Date:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Yakov Shafranovich
Previous by Thread:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Hector Santos
Next by Thread:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]