On Sat, 18 Sep 2004, Meng Weng Wong wrote:
On Sat, Sep 18, 2004 at 07:01:14PM +0100, David Woodhouse wrote:
|
| This is going to be _entirely_ counterproductive in the long run. If you
| want true authentication, implement a true end-to-end scheme rather than
| a hop-by-hop scheme which cannot ever solve the problem. MARID has its
| place but this is _not_ it.
I plan to implement DomainKeys as soon as a plugin is
available for my MTA. Have you implemented it yet?
No and I don't believe anybody else should either. That is unless you're
prepared to loose legitimate email when it comes through email list.
DK is badly engineered mail signature system that will cause many false
positives - it falls particularly badly with maillists and with majority
of other cases of email being reintroduced by gateways or intermediate
email processors, in fact anything that changes headers in any way!
If you want something that is ok consider MTA Signatures or possibly
Cisco identified email proposal. Neither one is perfect, but at least
there is not as much space for failures.
| We need to stop disingenuously selling SPF/SenderID as a real
| authentication scheme.
Nobody does. But at the same time SPF offers ability to protect communication
parameters of the transmission (envelope) and its a lightweight approach
that can be more easily implemented and can allow to reject mesage before
transmission even began.
All encryption methods while offering a lot stronger protection, they also
carry heavier penalties for those doing signatures and verification and
they require a lot more changes to all MTAs to support it.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam Research Worksite:
http://www.elan.net/~william/asrg/