ietf-mailsig
[Top] [All Lists]

RE: Good as the enemy of OK

2005-01-12 07:13:25

There is a certain level of functionality you can get by repurposing DNS. If
you want to go beyond that level you really need to start looking at a
separate key management scheme that is designed for the purpose.

The obvious candidate is XKMS which is compact, lightweight and provides
both the necessary retrieval and registation functionality.

You can't do per-user keying in the philosphy of DK without providing a
complete end user experience. 

I know that folk keep muttering the perfect is the enemy of the good, but
the incomplete is the enemy of the user. I am not talking about
crypto-perfectionism here. I am talking about a complete end user
experience.


-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Tony 
Finch
Sent: Wednesday, January 12, 2005 8:53 AM
To: Sam Hartman
Cc: ietf-mailsig(_at_)imc(_dot_)org
Subject: Re: Good as the enemy of OK



On Wed, 12 Jan 2005, Sam Hartman wrote:

I do note that you're actually somewhat vulnerable to this 
replay even 
with signed bodies.  I go get a free email account from an email 
provider with a reasonably good reputation.  I send email 
containing 
the spam body I want to some recipient I control that will 
look good 
in to: headers.  Now that I've got this signature, I can replay the 
message at any envelope recipient I want.

This puts the free email provider in the position of 
needing to revoke 
the key I'm using, but they cannot do that until the other 
mail signed 
with that key has had a chance to flow through the system.

If you implement per-user keys, then revocation of an account 
can imply revocation of the key without affecting any 
innocent bystanders. However there are efficiency 
considerations for recipients (how many keys are they 
expected to cache, and for how long) and for senders 
(per-user keys with low TTLs make joe jobs have a worse effect).

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
EAST NORTHERN SECTION: IN SOUTH, WEST OR NORTHWEST 7 TO 
SEVERE GALE 9, OCCASIONALLY STORM 10 OR VIOLENT STORM 11 IN 
EAST AT FIRST, DECREASING 5 OR 6, BACKING SOUTH 7 IN WEST 
LATER. SHOWERS, CLEARING LATER. MODERATE OR GOOD OCCASIONALLY 
POOR AT FIRST.



<Prev in Thread] Current Thread [Next in Thread>