[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Asrg] porkhash: flexible anti-impersonation mail signatures

To: "'J C Lawrence'" <claw@kanga.nu>, "william@elan.net" <william@elan.net>
Subject: RE: [Asrg] porkhash: flexible anti-impersonation mail signatures
From: "Eric D. Williams" <eric@infobro.com>
Date: Thu, 3 Apr 2003 18:05:31 -0500
Cc: Justin Mason <jm@jmason.org>, "asrg@ietf.org" <asrg@ietf.org>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Information Brokers, Inc.
Sender: asrg-admin@ietf.org

On Thursday, April 03, 2003 3:42 PM, J C Lawrence [SMTP:claw@kanga.nu] wrote:
8<...>8
> My concern there is distribution of the secret.  There's relatively
> little value in cacheing the value of an authenticity check.  Its not
> something that a given site tends to repeat.  However repetitive checks
> of *different* messages from the same MTA will be common, each one
> hammering the possessor of the secret.

I think he means caching of the public-key, so recieving MTAs can do quick 
checks of MTAs in the fowarding path.  I don't think you want anybody handing 
out secrets, but handing a public key out, via DNS, that can be cached by 
recievers seems like a prudent idea.  I do note your concerns on DNS server 
load however, that could be an issue.  DNS servers do however handle a lot of 
queries anyway though it should be noted as a security concern.

e.g., MTAs: O=originator, R=reciver; DNS: DOP=originator public-key RR, 
DRR=reciever porkhasher plug-in DO=originator DNS server

O ehlo, etc...DATA  >> R
O << end with '.'      R
O headers           >> R
latest header  >> read O[x] porkhash >>  DRR   query DOP >> DO
                                      DRR << DOP         DO
					DOP cached TTL n
:repeat for each header 0[x++]
...perform porkhashing checks
...return result, for each O[x]
0 << status (acc,rjt,...) R
end session

When new mail arrives from same O[x] before expiration of n, then
use the cached DOP for 'O[x]' porkhash checks.

> A system which doesn't require either distribution of the secret, or
> ready access to the secret by uninvolved parties would seem better.

Only the MTA needing to know the public-key would be involved and only 
(concerning cache persistency here) query again if necessary.

> --
> J C Lawrence
> ---------(*)                Satan, oscillate my metallic sonatas.
> claw@kanga.nu               He lived as a devil, eh?		
> http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] porkhash: flexible anti-impersonation mail signatures
  - From: J C Lawrence

Prev by Date: Re: [Asrg] "ham" <i>is</i> ridiculous
Next by Date: Re: [Asrg] define spam
Previous by thread: Classification of solutions and which ones do real-time check (wasRe: [Asrg] porkhash: flexible anti-impersonation mail signatures)
Next by thread: Re: [Asrg] porkhash: flexible anti-impersonation mail signatures
Index(es):
- Date
- Thread