[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] How to defeat spam that uses encryption?

To: "'Chuq Von Rospach'" <chuqui@plaidworks.com>, "william@elan.net" <william@elan.net>
Subject: RE: [Asrg] How to defeat spam that uses encryption?
From: "Eric D. Williams" <eric@infobro.com>
Date: Tue, 1 Apr 2003 12:52:05 -0500
Cc: "asrg@ietf.org" <asrg@ietf.org>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Information Brokers, Inc.
Sender: asrg-admin@ietf.org

On Tuesday, April 01, 2003 11:56 AM, Chuq Von Rospach 
[SMTP:chuqui@plaidworks.com] wrote:
>
> On Tuesday, April 1, 2003, at 05:31  AM, william@elan.net wrote:
>
> > There is nothing stopping spammers from generating new keys and
> > certificates
> > for their mail servers, so we can have servers exchange certs, but
> > really
> > not authentication there as far as who is who.
> >
> as a friend of mine who's a computer security expert keeps reminding
> me, authentication is not authorization. The fact that someone can get
> authenticated doesn't say anything about what that person can (or
> should) be able to do. It merely means you have some idea who that
> person is supposed to be.

As a security expert I would have to insert that authentication is a key 
element in making an authorization determination.  So it is the first step in 
determining what someone can do. In this case whether the entity may forward a 
message to a particular address/recipient/domain.  Without adequate knowledge 
or assurance that an entity is 'who' it say's it is then authorization is not 
effective.  I don't think that is an argument against authentication but rather 
the authorization must follow (and I think was implicit in the statement, 
though the thought could be inferred).

> It doesn't matter how good the authentication scheme is if there's no
> way to turn that into  what a person is authorized to do. That's a key
> problem with certs and many authentication schemes. Given how easy it
> is to get or generate certs, and given that even if you authenticate
> sites and can blacklist certs that spam, if certs are effectively
> throwaway tools for spammers, what good does blacklisting a cert do?

No, I don't agree.  The cert (throw-away or not) in the example are not 
'granted' by un-trusted or unknown certifiers and in that case the objective 
identification of a sending host should contain (given a proper vetting 
standard) information that can be used for the authorization step.

> authenticating a stranger doesn't buy you anything, because you still
> don't know what permissions you can trust that stranger with.
> authentication is mostly of advantage for whitelisting operations and
> clearing stuff out of the way that you know you don't have to look at,
> at least until someone grabs someone else's cert...

But it does buy you the fact that you know "they are who they say they are", in 
this example through some objective third party, then what you want to allow 
them to do is up to you, you can't depend on the 'stranger' to tell you what 
they are authorized to do.

-e

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] How to defeat spam that uses encryption?
  - From: Chuq Von Rospach

Prev by Date: RE: [Asrg] How to defeat spam that uses encryption?
Next by Date: [Asrg] off topic, but hauntingly relevant...
Previous by thread: RE: [Asrg] How to defeat spam that uses encryption?
Next by thread: Re: [Asrg] How to defeat spam that uses encryption?
Index(es):
- Date
- Thread