Re: Attacking Domain Keys


On Nov 26, 2004, at 10:10 AM, James Couzens wrote:

On Fri, 2004-11-26 at 09:32 -0500, Theo Schlossnagle wrote:
DomainKeys verifications are pretty cheap -- 4ms or so with nohardware
acceleration and much faster with acceleration.  Anyone who is large
enough to have this matter either has a horizontally scalable system
that would be negligibly impacted by DK (think Yahoo and gmail) orhave
a tight veritcal system that they can buy very inexpensive crypto
acceleration units for.  Anyone who isn't huge, this simply doesnt
matter... why? Because my MTA can verfiy DK faster than my networkpipe
can handle anyway.
So err, whats the point of DK then?

It's an authentication system - like SPF is. It doesn't tell youanything about the quality of the sender, just like SPF doesn't. Andit isn't designed to be a computational penalty. Look at hashcash,penny black or something of that ilk if you want to purposefullyincorporate computational cost into SMTP.

Back to one of David's point: the math clearly shows that doing DK
_before_ something like spam assassin make perfect sense as it less
expensive computationally by several orders of magnitude.


Several orders of magnitude?  Thats quite a bit and doesn't reflect the
data that I've seen in working with SA.  SA also affords me intelligent
classification of email.  Remember even with DK, people can still SPAM!
So no one will be removing SA from their networks anytime soon and not
likely in the future either.  So really, whats the value of DK again?

You need to go back and do your math again. Even from a purelycomputational standpoint, the standard SA classification ruleset is acouple hundred times slower that DK verification. The SpamAssassinguys themselves will tell you this - it's not a high-performancesolution.

As noted above, even with SPF people will still spam. They areauthentication solutions. Authentication solutions only tell you thata sender is or isn't who they claim to be. Out of the box they at bestprevent fraudulent senders. To do anything more ambitious than thatthey both require coupling with an authorization technology that says'I know for certain who you are. Now do I want mail from you?'


George

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Re: My notes from FTC Summit with statistics, (continued) Re: Re: My notes from FTC Summit with statistics, Stephen Pollei Re: Re: My notes from FTC Summit with statistics, Rand Wacker Re: My notes from FTC Summit with statistics, wayne Attacking Domain Keys, James Couzens Re: Attacking Domain Keys, David Woodhouse Re: Attacking Domain Keys, James Couzens Re: Attacking Domain Keys, George Schlossnagle Re: Attacking Domain Keys, Theo Schlossnagle Re: Attacking Domain Keys, David Woodhouse Re: Attacking Domain Keys, James Couzens Re: Attacking Domain Keys, George Schlossnagle <= Re: Attacking Domain Keys, James Couzens Re: Attacking Domain Keys, George Schlossnagle RE: Attacking Domain Keys, Seth Goodman Re: Attacking Domain Keys, Theo Schlossnagle RE: Attacking Domain Keys, Seth Goodman Re: Attacking Domain Keys, George Schlossnagle RE: Attacking Domain Keys, Seth Goodman Re: Attacking Domain Keys, George Schlossnagle RE: Attacking Domain Keys, Seth Goodman RE: Attacking Domain Keys, David Woodhouse