Re: costs of different approaches



On Wed, 6 Oct 2004, Rand Wacker wrote:

So SPF and SID are useful to allow whitelisting of the 80% or so of
messages that *pass* checks (and are on the associated whitelist), but
will probably not be useful for anti-forgery checks.


Well, I have some comments about this which luckily gets us back on subject
of email signatures. First lets notice that mail signatures by themselve are 
like SPF without rejecting -all. What I mean is that while you can whitelist
the message that has signature, the bad guys can still continue to send 
emails with your forged address without any signatures and people will
continue to accept this. To get around this we obviously need to have email
policy record that say that such and such domain has mail server that signs
all outgoing email (in fact most proposals at MASS have that as part their 
design with using either special dns records or using SPF modifiers).

Now the problem is exactly this email policy record. It so happens that if 
email signature standard can not deal with how email is changed in transit 
(like mail list problem of domainkeys), the result is that receiver can 
only whitelist email with good signatures and if its bad, he does not know 
if it was due to changes made in transit or if it was originally bad. So 
while organization can publish "-all" for mail signatures the receiver can 
not reliably use that because at least some of the email from the domain 
is going to fail signature verification unless signature can survive all 
changes in transit and still be verifiable.

I did actually find some ways to get around the problem of failed signatures
due to email mangling, but this works only when false positive rate is 
low (not the kind of rate that would happen if message can not survive 
common mail list processing). My ideas involve mechanism for double-checking
in some way if message was or was not changed in transit based on certain 
parameters included in the message signature and if it is found that 
message was changed, then it is allowed through as if it was unsigned 
message even if "-all" is published, but for all other real unsigned
email and those where public key verification fails, the message is denied.

---
William Leibzon, Elan Networks:
 mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Anonymous signed mail, (continued) Re: Anonymous signed mail, Miles Libbey Re: Anonymous signed mail, Andrew Newton Re: Anonymous signed mail, wayne Re: Anonymous signed mail, Jim Fenton costs of different approaches, Dave Crocker Re: costs of different approaches, Rand Wacker Re: costs of different approaches, Michael Thomas Re: costs of different approaches, Carl Hutzler Re: costs of different approaches, Rand Wacker Re: costs of different approaches, Carl Hutzler Re: costs of different approaches, william(at)elan.net <= Re: costs of different approaches, wayne Re: costs of different approaches, Rand Wacker Re: costs of different approaches, wayne Re: Anonymous signed mail, william(at)elan.net Re: Anonymous signed mail, Andrew Newton Re: Anonymous signed mail, Michael Thomas Re: Anonymous signed mail, william(at)elan.net Re: Anonymous signed mail, Andrew Newton Re: Anonymous signed mail, Michael Thomas Re: the DNS issue, John Levine

Previous by Date:	Re: costs of different approaches, Carl Hutzler
Next by Date:	RE: charter constraints list, Seth Goodman
Previous by Thread:	Re: costs of different approaches, Carl Hutzler
Next by Thread:	Re: costs of different approaches, wayne
Indexes:	[Date] [Thread] [Top] [All Lists]