Douglas Otis wrote:
On Fri, 2005-02-11 at 15:54 -0800, Jim Fenton wrote:
Sam Hartman wrote:
The point of MASS is to make it possible to have the infrastructure
necessary to build up reputation about a domain and to have strong
enough authentication that this reputation is meaningful.
I think you're assuming something about the way the reputation system
works; a large domain will hopefully still have an overwhelming majority
of "desirable" messages and that might factor into the reputation too.
The reputation might also depend on the responsiveness of the domain
when a problem is discovered. Or perhaps this is an argument for some
combination of reputation and accreditation.
This would be assuming reputation is based upon the remote IP address.
In such a case, server reputations can be retained by canceling abusive
accounts and monitoring logs. A signature however can be
"authenticated" regardless of the remote IP address, and hence canceling
accounts and monitoring logs alone would be ineffectual reputation
protection as abuse could continue unabated as "replays".
I don't see any relationship to the use of IP address as an identifier
in the above discussion. I was talking about signatures, and I think
Sam was too.
Not if they read section section 9.1.4, "Message Replay Attack", of the
IIM draft. We have tried to be as upfront as possible about the
limitations of message signing.
Rather than taking a finger-print of the message as described in 9.4.1,
establishing persistent revocation identifiers would offer opportunities
to prevent this threat.
The countermeasures described there aren't intended to be used; they're
illustrations of the problems associated with trying to "fix" the
message replay problem.
There's a related attack that actually worries me more. Suppose someone
sends some spam to (for example) an ietf.org mailing list, where it gets
[re-]signed. If this message is replayed widely, it looks like ietf.org
is generating lots of spam, and it didn't even come from a user with an
ietf.org address.
Reputation must be based only upon authenticated identifiers, which
underscores limitations establishing assurances for specific
mailbox-domain.
Even the revocation identifiers you're advocating might have a problem
with mailing list replays. If a message gets signed by a mailing list
and then replayed, do you revoke the mailing list's authorization?
Hopefully not; this might interfere with other messages in transit. Do
you then put a unique revocation ID on each message? That adds a whole
new dimension to the scaling problem.
Replay must be allowed until abuse has been reported or detected. An
optional revocation identifier would allow both protection of the
signature reputation, and provide a means to detect when abuse may be
occurring.
But once the replay has been detected, the damage (dissemination of the
spam) has basically been done. I'm concerned about the time urgency of
the revocation: how quickly must the domain publish a revocation of a
particular identifier in order to prevent damage to its reputation? The
revocation ID can be used to prevent a particular user from sending more
than one message for replay, but why wouldn't they just get a new
account for each message they want to replay?
-Jim