Julian Mehnle wrote on Saturday, December 02, 2006 6:10 PM -0600:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Seth Goodman wrote:
SPF, however, does not directly validate sender addresses. That
requires strong cryptography and a system to distribute validation
instructions.
How is "strong cryptography" any more secure an assertion method than
IP address authorization?
From the standpoint of the recipient, you can determine that a PGP key belongs
to an individual to a degree of certainty that you understand. You know the
trust relationship in detail and make of it what you will. It is much more
tenuous for designated hosts. A recipient has no way to evaluate the extent
to which a host is secure and the strength of the measures used to discourage
forgery. Neither does a recipient have any way to evaluate how many machines
have submission rights to that host and their level of security.
All a recipient can say is that the return-path domain is verified according to
the senders wishes. Those may or may not be congruent with the recipient's
wishes, and the recipient can't even evaluate the extent to which that is the
case. This is a direct result of the perception that it is far easier and more
common to hack a shared host, or another machine that has submission rights to
that host, than to acquire someone's private key. It doesn't mean that it
actually is easier in any particular case, just that most people believe it to
be.
The grade of security of any assertion method only depends on the
odds of it being plausibly reproduced against the will of the
authority, not on some inherent magical properties.
I agree. Saying you possess the secret key corresponding to a public key that
was signed by numerous individuals a recipient trusts after verification in
person is a much stronger assertion than saying you designate a given host as
permitted to send mail on behalf of your domain. In a strong system, the
prover makes an assertion that he is actually in a position to prove. A person
can prove his identity to a high degree of certainty to others who do not
possess special skills, but proving that a given mail host and the network
behind it are secure is pretty difficult.
There is nothing magic about cryptography. Frameworks and assertions that you
bother protecting with cryptography tend to be strong in the first place. When
the base assertion is not readily provable, it may not be worth protecting. In
order to validate a sender address, I said you needed "strong cryptography and
a system to distribute validation instructions". Necessary but not sufficient.
I did not mean to imply that cryptography could turn a weak assertion into a
strong one.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735