On Wed, Feb 25, 2004 at 06:12:37PM +0000, David Woodhouse wrote:
|
| Imagine a scheme where you generate and sign a tuple of
|
| { <number of original lines>, <cheap rolling checksum>, <hash> }
|
| In this way you handle crap being added at the beginning and the end of
| the mail. You just get to make a local policy decision about how _much_
| crap you'll tolerate, that's all.
|
Rolling checksums are a good heuristic answer to the problem, but in
general, sender authentication represents a paradigm shift away from
heuristics toward black and white answers.
Like any heuristics-based system, content filtering is endlessly tweakable.
That's what makes them so attractive to amateurs, but unpalatable to
professionals. To the amateur, tweakability creates a feeling of
heroics. To the professional, doubt is a cost to be avoided.
We want a world where either the sender is forged or it's not; either
it's accredited or it's not; either it's reputable or it's not. We're
trying to shift the uncertainty from the authentication space into the
reputation space where it belongs.