In
<Pine(_dot_)LNX(_dot_)4(_dot_)53(_dot_)0402110952540(_dot_)29116(_at_)astray(_dot_)com>
Shevek <spf(_at_)anarres(_dot_)org> writes:
As Daniel Roethlisberger points out, you really don't need a complete
MD5 hash. My gut feel is that even 16 bits of the hash would prevent
any useful spoofing of the SRS system, and I think it would be very
useful to calculate a lower bound. Then, you can use base32 encoding
or something more resilient to strange MTA manglings.
I agree. This has also been under discussion. I am thinking to allow any
prefix of the hash. [...]
I've been thinking about this a little bit.
All we need to do is make it impractical to use SRS to create open
relays, not impossible. As such, I think that 15-20 bits is probably
more than enough.
Now, since we are throwing out almost all of the MD5 hash, I wonder if
we would be better off using something lighterweight than MD5. We
could use any of the private-key ciphers in chain-block-mode (CBC) and
use the last block as the hash.
Speed is an issue in MTAs. Could we save a significant amount of CPU
time by using AES in CBC mode vs MD5? Could we use RC4?
Heck, is there any reason to specify the cipher/hash at all? The only
two requirements are that the host that generates the stamp can verify
it, and that you can't use past examples of the SRS to predict future
hashes.
-wayne