Re: [Asrg] 6. Proposals - Challenge/response - CRI
Andrew Akehurst <A.D.Akehurst-99@student.lboro.ac.uk> Wed, 20 August 2003 08:50 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA29625 for <asrg-archive@odin.ietf.org>; Wed, 20 Aug 2003 04:50:30 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pOfN-0001sJ-Pl for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 04:50:06 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h7K8o5j5007208 for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 04:50:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pOfM-0001sB-Td for asrg-web-archive@optimus.ietf.org; Wed, 20 Aug 2003 04:50:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA29615; Wed, 20 Aug 2003 04:49:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19pOfJ-0006Cl-00; Wed, 20 Aug 2003 04:50:01 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19pOfJ-0006Ci-00; Wed, 20 Aug 2003 04:50:01 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pOeK-0001jf-TE; Wed, 20 Aug 2003 04:49:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pOe5-0001jO-5O for asrg@optimus.ietf.org; Wed, 20 Aug 2003 04:48:45 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA29598 for <asrg@ietf.org>; Wed, 20 Aug 2003 04:48:38 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19pOe2-0006C8-00 for asrg@ietf.org; Wed, 20 Aug 2003 04:48:42 -0400
Received: from bill.lut.ac.uk ([158.125.1.193]) by ietf-mx with esmtp (Exim 4.12) id 19pOe1-0006C5-00 for asrg@ietf.org; Wed, 20 Aug 2003 04:48:41 -0400
Received: from [158.125.1.117] (helo=studentpop1.lboro.ac.uk ident=root) by bill.lut.ac.uk with esmtp (Exim 4.14) id 19pOe0-0006Fn-KM for asrg@ietf.org; Wed, 20 Aug 2003 09:48:40 +0100
Received: from [158.125.1.123] (helo=bod.lut.ac.uk) by studentpop1.lboro.ac.uk with esmtp (Exim 3.13 #1) id 19pOe0-0001rD-00 for asrg@ietf.org; Wed, 20 Aug 2003 09:48:40 +0100
Received: from apache by bod.lut.ac.uk with local (Exim 4.12) id 19pOe0-0003lk-00 for asrg@ietf.org; Wed, 20 Aug 2003 09:48:40 +0100
To: asrg@ietf.org
Subject: Re: [Asrg] 6. Proposals - Challenge/response - CRI
Message-ID: <1061369320.3f4335e87f7e7@student-webmail.lboro.ac.uk>
From: Andrew Akehurst <A.D.Akehurst-99@student.lboro.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
User-Agent: IMP/PHP IMAP webmail program 2.2.8
X-Originating-IP: 194.196.110.14
X-Spam-Score: -0.1 (/)
X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19pOe0-0006Fn-KM*7TnDxfibMiw*
X-Lboro-Filtered: bill.lut.ac.uk, Wed, 20 Aug 2003 09:48:42 +0100
Content-Transfer-Encoding: 8bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
Date: Wed, 20 Aug 2003 09:48:40 +0100
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
Hello everyone Some forwarded further reaction to the CRI proposal here from David. I've had a few ideas myself over the past couple of days and I'll be posting them shortly. Thanks Andrew ----- Forwarded message from david nicol <whatever@davidnicol.com> ----- > > I think it's too complex and fiddles with too many preexisting > protocols. > > > Recently someone on the djbdns mailing list wrote an autoresponder > to reply to the challenges that that mailing list sends out on every > list posting. Someone else forged messages from the autoresponder > author's return address and the forged messages appeared on the > list. So the autoresponder in question was merely operating at > level one and not level two of the three levels defined in the draft, > which I found to be a good set of definitions. > > I am opposed to level three. As computing power keeps increasing, > as well as the availability of human brains, when properly organized, > turing test systems become useless. > > I think a good thing to agree on might be an XML DTD for challenges > and responses, which could be embedded into a human-readable > challenge message that states the same thing as the XML challenge, > for those users (initially everyone) who do not use a CRI-enabled > MUA. > > What information would beed to be in there, to have level two > functionality? Last night I came up with what I believe is a > workable set: > > 1: message-ID of the message in question. Message-IDs are generated > by the MUA (well they can be) and the MUA can remember which ones it > generated. Message-ID alone allows a valid Message-ID to be attached > to an invalid message, so Message-ID is not sufficient. > > 2: MD5 hash of the body of the message. By including this information, > it is only possible to forge a message that was actually sent. > > 3: subject line. It appears in the header, not the body, and it > is good to include the subject line in human-readable forms. > > > So when tom@example.com sends a message to abigail@example.net, > the abigail's MUA might generate a challenge like follows and > send it to tom before accepting tom's message (and perhaps > caching tom's return address and the smtp server the message > arrived from as valid and not warranting future challenges) > > envelope-return-address: abigail-cribounce@example.net > evelope-recipient: tom@example.com > X-Asrg-Cri-Status: Challenge > Message-Id: <cri-challenge-...@example.net> > From: <abigail@example.net> > Date: ... > Subject: Challenge re: Beans? > > This message is a challenge to verify that tom@example.com > sent a message with subject line <<Beans?>> to > abigail@example.net. > > If you sent the message in question, please forward this > challenge message to abigail@example.net (replying to > it should work) > > If you did not send the message and would like to report > an abuse incident, please forward this challenge message > to abusebot@example.net. > > The following XML block is included for people using > CRI-enabled e-mail software. > > <challenge> > <challengeid>847568276345.24958793287</challengeid> > <messageid>oiuhgkjnetoij@example.com</messageid> > <bodyhash>c5fb7d43ba68c638b75485220a3c3372</bodyhash> > <subject>Beans?</subject> > <forwardifgood>abigail@example.net</forwardifgood> > <forwardifbad>abusebot@example.net</forwardifbad> > </challenge> > > __END__ > > > I suppose this could all be done with headers instead of > a block in the message body, but headers often get lost. > > > > I think the only really significant semantic suggestion I'm making > is that a hash of the body of a message should be included to > prevent forgeries of level-two systems. > > > How would it interact with mailing lists? > > * the CRI-enabled MUA would have a way to turn off challenges for > known-good sources (guest-list, known-good mailing lists) without > presuming a source good simply due to the appearance of some header > or other. > > * the CRI-enabled listserv would recognize the challenge as such > (instead of as a bounce, assuming it is a VERPing listserv) and > respond correctly, possibly using a to-be-defined extended > syntax for declaring "I am a listserv! You can recognize traffic > from me because it comes from 192.0.2.174 and it always contains > a header "List-ID: giants-list@example.org" > > > > > > > ps. the hash in the example is a hex MD5 hash of "fee fi fo fum!" > > David Nicol / If at first you don't succeed, use a bigger hammer. > http://gallaghersmash.com ----- End forwarded message ----- _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- Re: [Asrg] 6. Proposals - Challenge/response - CRI John Fenley
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Deven T. Corzine
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean