Re: Attacking Domain Keys

On Fri, 2004-11-26 at 10:16 -0500, George Schlossnagle wrote:

> > So err, whats the point of DK then?
> It's an authentication system - like SPF is.  It doesn't tell you 
> anything about the quality of the sender, just like SPF doesn't.  And 
> it isn't designed to be a computational penalty. Look at hashcash, 
> penny black or something of that ilk if you want to purposefully 
> incorporate computational cost into SMTP.
So DK is expensive, puts full cryptographic burden upon the recipient,
is vulnerable to YAdDoS, and has no more value than SPF does, and you
can't do pre-data rejection.  Where do I sign?

> You need to go back and do your math again.  Even from a purely 
> computational standpoint, the standard SA classification ruleset is a 
> couple hundred times slower that DK verification.  The SpamAssassin 
> guys themselves will tell you this - it's not a high-performance 
> solution.
No I don't.  I don't run the standard ruleset and its by no means an
ordinary setup, but it most certainly doesn't qualify from my data as
"several orders of magnitude".

> As noted above, even with SPF people will still spam.  They are 
> authentication solutions.  Authentication solutions only tell you that 
> a sender is or isn't who they claim to be.  Out of the box they at best 
> prevent fraudulent senders.  To do anything more ambitious than that 
> they both require coupling with an authorization technology that says 
> 'I know for certain who you are.   Now do I want mail from you?'
Yes, this is a whole other point entirely.  If I were to have just
stepped in here and read your message about DK I would not be
implementing it any time soon or for that matter ever.  It seems
absolutely pointless when with a small amount of fixing SPF can be used
at a phenomenally reduced cost to reject in 2821.

We have enough crap out there already that will deal with mail in 2822
land.  Once mail is in the data stage, whats the point, you might as
well run SpamAssassin for all the benefits you get with it, or some
other classification mechanism such as procmail or maildrop.

Cheers,

James

-- 
James Couzens,
Programmer
                                                     ( ( (      
      ((__))         __\|/__        __|-|__        '. ___ .'    
       (00)           (o o)          (0~0)        '  (> <) '    
---nn-(o__o)-nn---ooO--(_)--Ooo--ooO--(_)--Ooo---ooO--(_)--Ooo---
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7A7C7DCF

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features 
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

signature.asc
Description: This is a digitally signed message part