[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] My take on e-postage

To: asrg at ietf.org
Subject: Re: [Asrg] My take on e-postage
From: der Mouse <mouse at Rodents.Montreal.QC.CA>
Date: Mon, 26 Apr 2004 00:12:25 -0400 (EDT)
In-reply-to: <200404260250.i3Q2oLi01823@panix5.panix.com>
List-archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <8014E072-9685-11D8-A46E-000393863768@chromatix.demon.co.uk> <200404251913.PAA01767@Sparkle.Rodents.Montreal.QC.CA> <170754AC-96FD-11D8-A46E-000393863768@chromatix.demon.co.uk> <200404252143.RAA02636@Sparkle.Rodents.Montreal.QC.CA><5B85241C-9714-11D8-A46E-000393863768@chromatix.demon.co.uk> <200404260030.UAA03203@Sparkle.Rodents.Montreal.QC.CA><200404260250.i3Q2oLi01823@panix5.panix.com>
Sender: asrg-admin at ietf.org

>> Why?  Simply because all the hashcash protocols I've seen outlined,
>> or that I've thought of, involve some kind of challenge by the
>> recipient which must be answered by the "payer".  A simple example
>> might be "find a data blob whose SHA-1 hash has these 20 bits set to
>> these values".
> Simple attempt (which probably won't work, but would take me a few
> hours to figure out why):  "The message, including the timestamp
> (which must be accurate to 10 seconds and only one is accepted per 10
> seconds) and including From and Envelope-To (same as To) must have
> the first 20 bits of its MD5 equal to 10101010101010101010;

> You can't do the work once for many recipients because the recipient
> is included in the hash;

Right.

> and you can't re-use it because of the timestamp.

Not quite that simple.

If the timestamp must match the time of the SMTP handoff, then you have
to recompute the hashcash for every retry (and are vulnerable to
unusually slow SMTP connections or recipient clocks set wrong); if the
timestamp need not match the time of the SMTP handoff, you are
vulnerable to backdated reuse.

You may be on to something here, though.  How about:

	The MD5 of the envelope-from, the envelope-to, the From:, To:,
	Message-Id:, and X-HashCash: headers, in that order,
	concatenated with the entire message body, must begin with
	however many 0 bits the recipient requires.

I think that addresses the issue.  Thank you.  (Replay isn't, I think,
much of an issue, when you can replay only whole messages including the
envelope.)

Of course, it still suffers from the usual problems endemic to all
hashcash, notably the very wide variety in CPU speeds out there.
J. Random Hacker in Outer Slobbovia running on a half-lung salvaged
68020 will be utterly blocked by hashcash values high enough to be even
noticed by Evil Q. Spammer's late-model 8-CPU 18GHz Hexium.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] My take on e-postage
  - From: Eric Rescorla
- Re: [Asrg] My take on e-postage
  - From: Jonathan Morton

References:
- [Asrg] My take on e-postage
  - From: Jonathan Morton
- Re: [Asrg] My take on e-postage
  - From: der Mouse
- Re: [Asrg] My take on e-postage
  - From: Jonathan Morton
- Re: [Asrg] My take on e-postage
  - From: der Mouse
- Re: [Asrg] My take on e-postage
  - From: Jonathan Morton
- Re: [Asrg] My take on e-postage
  - From: der Mouse
- Re: [Asrg] My take on e-postage
  - From: Seth Breidbart

Prev by Date: Re: [Asrg] My take on e-postage
Next by Date: [Asrg] Re: Asrg] My take on e-postage
Previous by thread: Re: [Asrg] My take on e-postage
Next by thread: Re: [Asrg] My take on e-postage
Index(es):
- Date
- Thread