spf-discuss
[Top] [All Lists]

Re: Opening Debate on SPF vs. SenderKeys

2004-08-20 13:10:08
On Fri, 20 Aug 2004 12:07:54 -0700, 
<Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AccuSpam wrote:
I was hoping others here would go directly into substantively
comparing which scenarios SPF and SenderKeys are more viable
than each other.

require MUA upgrades.  Consider this message, signed with PGP using
Windows Privacy Tools, all open-source despite that I'm using Outlook
2000.

... with SenderKeys, the ISP or personal domain user,
simply responds to a enticement e-mail

Enticement email = spam, sorry.

I get a different read on this algorithm; perhaps if I re-summarize it:

SenderKeys is like PGP in that messages are signed using public-key encryption.

Additionally, if a message is not signed, the receiver can generate a free private key using his authority server for the sender address and mail it back to the user in the "enticement" email. Its not mentioned, but presumably if he doesn't trust your authority server he could ignore the signature and send you an additional key (the SenderKeys docs mention that multiple signatures may be included with the message).

If your MUA has already been upgraded, it should intercept this message and start using that private key to send emails automatically. Otherwise, there will be a link in there telling you how to upgrade your MUA.

Thus the problem is completely localized to the MUA, satisfying his apparent goal - to avoid changes on the server.

I imagine there would be a market among advanced computer users (someone who would install Windows Privacy Tools, maybe) who are using the email address and mail servers provided their ISP (e.g. joe(_at_)aol(_dot_)com) and are therefore unable to implement filtering etc. on the server-side.

The implementation would have to be careful, however, not to repetitively send enticement mails to people who don't install SenderKeys, because SenderKeys will not be accessible to everyone.

The SenderKeys overview mentions that you could configure it to only send the enticement if the user is blacklisted (as opposed to non-whitelisted). I suppose this means that if you start receiving spam from a particular address you blacklist it manually; if it is a real user they will be forced to install SenderKeys in order to communicate (or is there a challenge-response backup?). In the blacklist case, the 'enticement emails' would be delivered as bounces I suppose.

My suspicion is that this would become the most common use. I used to use tmda and I have disabled its challenge-response mechanism because it is too confusing for novice users and blocks receipts, mailing list confirmations, and order confirmations from online services. In this mode, however, SenderKeys is not an anti-spam solution for the receiver, it just prevents impersonation when sending mail to other SenderKeys users and allows SenderKeys users to bypass the blacklists of other SenderKeys users. Spammers can continue to bypass the system the same way they've been bypassing blacklists all along.

Compared to tmda:
- tmda only requires intallation on the receivers' side
- tmda does not require senders to upgrade their MUA
- SenderKeys allows an address to be whitelisted only if its messages are cryptographically signed - whereas in tmda you can tell them to use a sender-specific address to email you

Note: If you are willing to upgrade the senders' MUA, then of course you could automate the process of acquiring a tmda sender-specific email recipient address; this would be functionally equivalent to SenderKeys except the message body would not be protected from tampering.

I don't aticipate that spammers will tamper - oh the horror! I can just see a letter from my mother suffixed with a bunch of random words and a link to some maternal rape site.

Compared to SPF:
- with SPF, *(_at_)domain are taken care of, SenderKeys does individual sender addresses - with SPF, central administration is dealt with using DNS; SenderKeys include an authority URL with each key, and any user may have a keypair on any authority - SenderKeys can be installed without adminstrating a server (except the authority server, perhaps) - SenderKeys uses cryptographic signatures to identify the sender, SPF uses the IP address of the delivering server - SPF spreads by accompanying the old mantra "close open relays!" with a new mantra "close open domains!", SenderKeys spreads from person to person as the enticement bounces are read by non-users (these messages are automatically handled and removed by the SenderKeys software).

I would give SenderKeys an overall thumbs down. MUA-based solutions don't gain traction. Blacklist-based systems don't stop SPAM. And whitelist-based systems block the most important mail - "Your order has been shipped" and "Please confirm your email address".

Wow... what a long message! I apologize, but I wanted to be thorough to aviod confusion.

CU
Dobes