Re: Opening Debate on SPF vs. SenderKeys

On Fri, 20 Aug 2004 12:07:54 -0700, 
<Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> AccuSpam wrote:
> > I was hoping others here would go directly into substantively
> > comparing which scenarios SPF and SenderKeys are more viable
> > than each other.
> require MUA upgrades.  Consider this message, signed with PGP using
> Windows Privacy Tools, all open-source despite that I'm using Outlook
> 2000.
>
> > ... with SenderKeys, the ISP or personal domain user,
> > simply responds to a enticement e-mail
> Enticement email = spam, sorry.
I get a different read on this algorithm; perhaps if I re-summarize it:

SenderKeys is like PGP in that messages are signed using public-key  
encryption.
Additionally, if a message is not signed, the receiver can generate a free  
private key using his authority server for the sender address and mail it  
back to the user in the "enticement" email.  Its not mentioned, but  
presumably if he doesn't trust your authority server he could ignore the  
signature and send you an additional key (the SenderKeys docs mention that  
multiple signatures may be included with the message).
If your MUA has already been upgraded, it should intercept this message  
and start using that private key to send emails automatically.  Otherwise,  
there will be a link in there telling you how to upgrade your MUA.
Thus the problem is completely localized to the MUA, satisfying his  
apparent goal - to avoid changes on the server.
I imagine there would be a market among advanced computer users (someone  
who would install Windows Privacy Tools, maybe) who are using the email  
address and mail servers provided their ISP (e.g. joe(_at_)aol(_dot_)com) and are  
therefore unable to implement filtering etc. on the server-side.
The implementation would have to be careful, however, not to repetitively  
send enticement mails to people who don't install SenderKeys, because  
SenderKeys will not be accessible to everyone.
The SenderKeys overview mentions that you could configure it to only send  
the enticement if the user is blacklisted (as opposed to  
non-whitelisted).  I suppose this means that if you start receiving spam  
from a particular address you blacklist it manually; if it is a real user  
they will be forced to install SenderKeys in order to communicate (or is  
there a challenge-response backup?).  In the blacklist case, the  
'enticement emails' would be delivered as bounces I suppose.
My suspicion is that this would become the most common use.  I used to use  
tmda and I have disabled its challenge-response mechanism because it is  
too confusing for novice users and blocks receipts, mailing list  
confirmations, and order confirmations from online services.  In this  
mode, however, SenderKeys is not an anti-spam solution for the receiver,  
it just prevents impersonation when sending mail to other SenderKeys users  
and allows SenderKeys users to bypass the blacklists of other SenderKeys  
users.  Spammers can continue to bypass the system the same way they've  
been bypassing blacklists all along.
Compared to tmda:
- tmda only requires intallation on the receivers' side
- tmda does not require senders to upgrade their MUA
- SenderKeys allows an address to be whitelisted only if its messages are  
cryptographically signed
- whereas in tmda you can tell them to use a sender-specific address to  
email you
Note: If you are willing to upgrade the senders' MUA, then of course you  
could automate the process of acquiring a tmda sender-specific email  
recipient address; this would be functionally equivalent to SenderKeys  
except the message body would not be protected from tampering.
I don't aticipate that spammers will tamper - oh the horror!  I can just  
see a letter from my mother suffixed with a bunch of random words and a  
link to some maternal rape site.
Compared to SPF:
- with SPF, *(_at_)domain are taken care of, SenderKeys does individual sender  
addresses
- with SPF, central administration is dealt with using DNS; SenderKeys  
include an authority URL with each key, and any user may have a keypair on  
any authority
- SenderKeys can be installed without adminstrating a server (except the  
authority server, perhaps)
- SenderKeys uses cryptographic signatures to identify the sender, SPF  
uses the IP address of the delivering server
- SPF spreads by accompanying the old mantra "close open relays!" with a  
new mantra "close open domains!", SenderKeys spreads from person to person  
as the enticement bounces are read by non-users (these messages are  
automatically handled and removed by the SenderKeys software).
I would give SenderKeys an overall thumbs down.  MUA-based solutions don't  
gain traction.  Blacklist-based systems don't stop SPAM.  And  
whitelist-based systems block the most important mail - "Your order has  
been shipped" and "Please confirm your email address".
Wow... what a long message!  I apologize, but I wanted to be thorough to  
aviod confusion.
CU
Dobes