On Tue, 2005-03-08 at 07:04 -0800, Mark Baugher wrote:
On Mar 5, 2005, at 8:10 AM, Andrew Newton wrote:
On Mar 4, 2005, at 9:21 AM, Mark Baugher wrote:
Revocation schemes that scale up to the numbers we are discussing
typically don't attempt to mirror the DNS nor require large server
farms
Let's say Yahoo has 40 million email accounts (that's probably pretty
high) and has to revoke 10%.
I was discussing the making and revoking of reputation assertions. At
least that's what I wanted to discuss. I think you're talking about
revoking account keys.
The revocation records signal the rejection of revocation-identifiers
within the signature (content). Currently deployed reputation services
use nearly identical signaling for remote IP addresses reject by
returning an A record (127.0.0.1/8). There is a good reason why a
record is not returned when reputation is good. It is desired that the
recipient make no-records results TTLs short (negative caching) to
indicate acceptance, but at their discretion, to adjust their network
and cache loads.
When using a record to be an indication of acceptance, to then allow
rapid revocation, the A records would need to have relatively short
TTLs. Some positive reputation services do this by using 0 TTL. About
25% of the IP space is excluded with a bad reputation, and the database
for asserting a bad reputation is still smaller than a good. (This
information still needs to be propagated.) The domain name space is a
bit different. It looks to be a closer split of good and bad, no doubt
driven by a need to evade filtering. It still seems to be a better
choice to have a record express a bad reputation, however.
Described as a DoS database, use of HELO-domain combined with
message-signature-domain could make a common database that guards the
recipient at both phases (HELO & Signature). Larger domains with a few
bad accounts would be handled by the revocation-identifier after the
domain is accepted at the HELO and the signature check. When the
HELO-domain is within the Signature-domain, the revocation-identifier
check can be skipped, in this situation a reputation check on the HELO
should also allow the skipping of a signature reputation check. In
other words, sub-domains for a domain with a bad reputation should also
return a bad reputation.
Reputation is on the order of consumer electronics numbers, e.g.
broadcast key management systems on the scale of digital versatile disc
players or even individual discs.
Agreed. Looking at how the number of queries can be reduced is an
important aspect of meeting these requirements. There are examples that
indicate DNS style query techniques scale to reporting on billions of
entities. (Not easily, but well beyond the entire domain name space.) A
reputation service is still at a larger scale than the
revocation-identifier query would ever be. The revocation-identifier is
also distributed whereas a reputation query would be for all domains.
There are some ideas how reputation services can be better implemented,
but this will require a development process. For now, using DNS seems
like a good starting point that should be able to meet immediate needs
of a new mechanism.
Tony Finch has suggested within the Clear WG to combine the IP address
with the domain. i.e.
d.c.b.a._ip4.<domain-query>.<domain-service>
-Doug