[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] A Technique for Universal Authentication



On 9/1/06, David Nicol <davidnicol at gmail.com > wrote:
On 9/1/06, Michael Kaplan < michaelkaplanasrg at gmail.com > wrote:
> I will illustrate by example.  You receive an email from a stranger.  As is
> often the case the email is not authenticated by DKIM or Sender ID, it isn't
> S/MIME signed, and it isn't using a sub-address.  Your filter rates this
> email as having an intermediate risk for being spam.
>
> Under my system this email would be bounced back to the sender along with a
> sub-address.  The sender's MUA will likely be updated to resend this bounce,
> but if it isn't then all is not lost as the sender has the opportunity to
> manually resend the bounce.  The stranger's email is now authenticated.  I
> don't think that S/MIME is able to reproduce these functions.

A shared centralized challenge-response system, which could be the beginning
of the reputation infrastructure that gets talked about here, would do the same
thing with fewer steps for the senders and no software upgrades required.

As I understand it, any proposal that requires some kind of zero-day
during which
everyone on the internet is mandated to upgrade their MUAs in order for it
to work is a non-starter.
 
This proposal does not require any kind of zero-day.  It combines the advantages of a Bayesian filter and a sub-address based email system to ensure that challenges are only seen sent for a small fraction of legitimate mail.  Updating the MUAs is only essential to make this system universally transparent.
 
Ideally it would be great if the 10 largest MUA developers made this rather simplistic upgrade, then maybe a year later this system would be deployed.  This system would not be a C/R system for any of the vast majority of people with an updated MUA.  It would not be a C/R system for anyone sending non-spammy email.
 
Again, I contrast the tremendous ease of deploying Auto-Reply software with the impossible task of the near universal deployment of DKIM or SPF.  The challenge will only apply to the ever diminishing number of emails that fall through the cracks. 
 
C/R systems are not desirable, but I argue that there comes a point where if the challenge becomes so infrequent (1 out of 200 legit email?) that the undesirability of C/R fades along with the appropriateness of calling it C/R.  The question is can this system block spam and make challenges so infrequent that we have reached the point where it is desirable.
 
Michael
 
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg