On Thu, 2005-02-10 at 16:49 -0800, Michael Thomas wrote:
On Thu, 2005-02-10 at 19:17 -0500, Sam Hartman wrote:
"Michael" == Michael Thomas <mike(_at_)mtcc(_dot_)com> writes:
It's an attack that prevents you from building up useful reputation
data about a significant class of domain.
Actually, I'd call it an _insignificant_ class of domain because
the reputation that you can derive from, oh say, hotmail or aol
or y! is so, so very problematic: even if they are behaving badly,
who would dare blacklist them? (ok, there will be some ninnies, but
they're outliers). *Far* more interesting and significant are the
domains that are *not* very well known. This gives a big incentive
to do very good policing lest your reputation suffer...
What acceptance value does a domain signature offer when it can be
"replayed" with impunity? A delivery window ensures uninterrupted abuse
requires using only two dozen accounts per annum. Accounts could be
terminated the instant a report of abuse is received, but this would not
prevent the "replay" abuse. Policing will not be effective without an
ability to recall the signature implied authorization.
With the majority of desktop operating systems compromised, it is not a
matter of extricating just a few bad accounts. No provider, large or
small, is able to prevent "replay" attacks without an additional
mechanism. Message signatures and an opaque identifier added by the
domain authentication process, together with published revocation
records, is a means to abate "replay" abuse. Reputations could thus be
retained for both large and small domains. Why not add an optional
opaque identifier?
-Doug