On Nov 26, 2004, at 10:35 AM, James Couzens wrote:
On Fri, 2004-11-26 at 10:16 -0500, George Schlossnagle wrote:
So err, whats the point of DK then?
It's an authentication system - like SPF is. It doesn't tell you
anything about the quality of the sender, just like SPF doesn't. And
it isn't designed to be a computational penalty. Look at hashcash,
penny black or something of that ilk if you want to purposefully
incorporate computational cost into SMTP.
So DK is expensive
It's not. Go back and read my messages.
puts full cryptographic burden upon the recipient
It doesn't, the recipient and sender share it (in fact it's cheaper for
the recipient), it's also something you as a receiver aren't required
to validate if you don't want to.
is vulnerable to YAdDoS
It's not any more vulnerable to DDOS than SMTP itself.
and has no more value than SPF does
It aims to achieve a similar goal, but provides capabilities that SPF
doesn't They aren't mutually exclusive, they're complimentary.
You need to go back and do your math again. Even from a purely
computational standpoint, the standard SA classification ruleset is a
couple hundred times slower that DK verification. The SpamAssassin
guys themselves will tell you this - it's not a high-performance
solution.
No I don't. I don't run the standard ruleset and its by no means an
ordinary setup, but it most certainly doesn't qualify from my data as
"several orders of magnitude".
Well, I clearly can''t benchmark your ruleset for you, I can only speak
for standard ones. But that's how benchmarks are done. You're welcome
to publish some numbers here, I'd be happy to discuss them.
As noted above, even with SPF people will still spam. They are
authentication solutions. Authentication solutions only tell you that
a sender is or isn't who they claim to be. Out of the box they at
best
prevent fraudulent senders. To do anything more ambitious than that
they both require coupling with an authorization technology that says
'I know for certain who you are. Now do I want mail from you?'
Yes, this is a whole other point entirely. If I were to have just
stepped in here and read your message about DK I would not be
implementing it any time soon or for that matter ever. It seems
absolutely pointless when with a small amount of fixing SPF can be used
at a phenomenally reduced cost to reject in 2821.
Everyone's entitled to their opinion. That's why it's important that
proposed sender-authentication systems don't break plain rfc821 SMTP.
There will always be people who cannot or will not implement a certain
piece of technology, and we should collectively take care not to
disenfranchise them.
George