Sure, CSV is complementary to signatures. But requiring CSV means that
signature verification can only happen at the edge MTA, which is a
significant operational constraint. Are you also saying that CSV
authentication MUST succeed before you even try to verify the
signature? Does the HELO domain also have to have a reasonably good
reputation? I would not be happy with codifying either of these
dependencies (although recipients, of course, can do whatever they want).
Let me try to nip this in the bud, and by way of simplifying things, i am
responding without having read the rest of the thread carefully, because it
don't think it matters:
CSV is an independent mechanism from content signature.
Independent means no dependencies.
It is complementary in the sense that it tells you something about the MTA
operator, distinct from telling you something about the content creator
(author, or the like).
Further, it is session-based, rather than per-message based.
What should a receiver do, with the independent information developed, about
content and operations ('signature' for the former, and ip-based authentication
and authorization for the latter)? I think the answer will develop from
experience.
Plausible choices:
1. If the operator is well known and trusted, the content mechanism might be
bypassed, for efficiency.
2. If the operator appears to have a reasonable reputation, then content
assessment mechanisms might be used superficially, rather than extensively.
and lots more choices. We need to gain experience, to see what choices are the
most useful.
Neither mechanism should (or, in my opinion, can) dictate how the other is used.
Rather we need to have the model of the recipient having an assessment engine,
as they already do, formulating a score. Exactly how to balance the components
of the score is an art that -- as we all know -- is a developing bit of magic.
CSV provides a useful (and remarkably simple and direct) bit of input.
> While the barn door is always open for a signed message, responding
> promptly to a replay attack should diminish the damage. Massive amounts
> of mail can not be sent instantaneously. Those locations that send high
> bandwidth replay should end up within a DoS database. There is also
> some clean-up that can be done post acceptance as well.
>
>
I hate to lean too much on the "zombie" example, but with enough
coordinated senders, a lot of mail can be sent very quickly.
This is one of the likely distinctions between per-message signatures and
per-operator assessment. The latter is more likely to provide a basis for
assessing aggregate behavior (ie, traffic) than the former.
(by the way, I really like Suresh's term "horizontal scaling" to describe the
use of zombie armies, for distributing traffic generation.)
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net