On Tue, Dec 09, 2003 at 04:28:05PM -0800, Mark Baugher wrote:
A clarification...
+---------------+ +---------------+
| UA.o -> MTA.o | -> MTA.i -> | MTA.r -> UA.r |
+---------------+ +---------------+
Are you saying that MTA.o signed it and a spammer captured
the message and resent it? Was it resent from MTA.o or from
some other domain or does this not matter?
You don't need to capture.
The problem I addressed is "what to sign" to make it impossible to steal
the signing and use it in another context.
E.g. the message to the list I am replying to has headers:
Received: from mbaugher-w2k07.cisco.com (sjc-vpn3-38.cisco.com [10.21.64.38])
by sj-core-4.cisco.com (8.12.6/8.12.6) with ESMTP id hBA0S6iO027174;
Tue, 9 Dec 2003 16:28:07 -0800 (PST)
Message-Id:
<6(_dot_)0(_dot_)0(_dot_)22(_dot_)2(_dot_)20031209161256(_dot_)03afcbd0(_at_)mira-sjc5-6(_dot_)cisco(_dot_)com>
Both header lines are (or should be and probably are) unique. So you now
could use them, build a checksum, sign it with your private key and get
something like 'JK807JK8JK90KLKL'. Now you add a Header like
X-Signature: sj-core-4.cisco.com; sign='JK807JK8JK90KLKL'
I can now (as the recipient) lookup your public key and validate,
whether the above two lines match the signature in the X-Signature:
line. So far so good.
But now, what stops a spammer from copying the two lines and the
X-Signature line and create a new email useing the stolen headers
like:
Received: from sj-core-4.cisco.com
by mail.example.net with ESMTP id 1234567890;
Wed, 10 Dec 02:02:32 +0100 (CEST)
X-Signature: mail.example.com; sign='908865KJGLSD0987'
Received: from mbaugher-w2k07.cisco.com (sjc-vpn3-38.cisco.com [10.21.64.38])
by sj-core-4.cisco.com (8.12.6/8.12.6) with ESMTP id hBA0S6iO027174;
Tue, 9 Dec 2003 16:28:07 -0800 (PST)
Message-Id:
<6(_dot_)0(_dot_)0(_dot_)22(_dot_)2(_dot_)20031209161256(_dot_)03afcbd0(_at_)mira-sjc5-6(_dot_)cisco(_dot_)com>
X-Signature: sj-core-4.cisco.com; sign='JK807JK8JK90KLKL'
How would you know that the message NOT really originated (or was sent
via) sj-core-4.cisco.com?
As a lot of software modifies/replaces/deletes both the message headers
and the message bodies you can't simply base your digest and signature
on this information.
If the spammer sends from MTA.o, then wouldn't we expect MTA.o
to have a policy to not forward mail that it had previously
signed?
No. Why?
If I get an eMail from a friend with an address at a public mail service
provider (aka freemail) and think it is funny, why should it not be
possible to bounce the message on to another friend at the same freemail
provider as the original sender? Or think of simple addresslists ...
cat >> .forward (for jokes(_at_)example(_dot_)net)
joe(_at_)example(_dot_)com
jane(_at_)example(_dot_)com
jill(_at_)example(_dot_)org
Now bert(_at_)example(_dot_)org sends mail to jokes(_at_)example(_dot_)net and
the mail will
go back to the originating system to jill(_at_)example(_dot_)org(_dot_)
If it comes from some MTA.x then a legitimate MTA.x might
reasonably have a policy of not forwarding mail signed by
some MTA.o unless (1) it has some MTA.i relationship
with MTA.o, which will rarely be the case, and
How can you detect relationships between MTA.x and MTA.i? What do you
mean with relationships between MTA.x and MTA.i?
(2) it was in fact received from MTA.o.
To determine this is the problem ;-)
If MTA.x is not legit, then won't MTA.r make a determination
on the validity of the message based on the trust it places
in the signature of MTA.x and not MTA.o?
How do you determine that "MTA.x is not legit"?
Is dsl081-084-010.lax1.dsl.speakeasy.net [64.81.84.10] legit if it
can provide a certificate? What must be the object of the certificate
(sorry I don't know the correct english word, what is it that is
certified? Is it the name? is it the IP address?) If it tries to inject
an email with an envelope sender joe(_at_)example(_dot_)com and a recipient
address
in your domain and it has a legit certificate (whatever that means)
how can you determine if the message really originated at MTA.o?
Yahoo's answer would be "look at the signature", but we've seen above
that it is hard to put a signature in a email and making it secure
and not stealable.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg