ietf-asrg
[Top] [All Lists]

Re: [Asrg] Microsoft takes over British Telecom

2011-11-12 23:51:26
-----Original Message-----
From: asrg-bounces(_at_)irtf(_dot_)org 
[mailto:asrg-bounces(_at_)irtf(_dot_)org] On Behalf Of Paul Smith
Sent: Saturday, October 29, 2011 2:16 AM
To: Anti-Spam Research Group - IRTF
Subject: Re: [Asrg] Microsoft takes over British Telecom

I've been thinking about forwarding

If you have A -> B, then server B forwards to server C, C can't do any
authentication based on A, because A doesn't know about the forwarding
(or it would, presumably, just send to C directly).

So, all sender domain authentication fails (without return path
rewriting)

There's an alternative proposal under development.  The idea is that B 
evaluates the message from A (be that with SPF or DKIM, or something else), and 
then applies an Authentication-Results (RFC5451) field with its findings.  When 
it relays toward C, it DKIM-signs the augmented message first.  When C gets it, 
it verifies B's signature, and then it can use the contents of the 
Authentication-Results field that B added to determine whether use of A's 
domain was authorized, even if A's signature no longer validates (and 
presumable A's SPF policy is guaranteed to fail at this point).  There must, of 
course, be an out-of-band arrangement that C trusts what B claims already in 
place for this to work.

That's the theory.  The specific mechanics and abuse defenses are still 
evolving.  The term "transitive trust" is being batted around as a label for 
the concept.  It's actually in production at a couple of large mailbox 
providers already.

I've spoken to people at IETF about the DANE idea, and it's universally 
considered a dead end, mostly because it simply doesn't scale and is 
ineffective against infected machines that otherwise can get authorization in 
the first place.  DANE is really designed to authorize use of domain names with 
respect to web pages, I believe, and not to authenticate clients.

-MSK
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>