Re: [Asrg] 6. Proposals - Challenge/response - CRI
"Deven T. Corzine" <deven@ties.org> Wed, 20 August 2003 17:44 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA23185 for <asrg-archive@odin.ietf.org>; Wed, 20 Aug 2003 13:44:10 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pWzp-0000nI-9i for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 13:43:46 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h7KHhjAA003053 for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 13:43:45 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pWzp-0000nA-2L for asrg-web-archive@optimus.ietf.org; Wed, 20 Aug 2003 13:43:45 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA23129; Wed, 20 Aug 2003 13:43:38 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19pWzm-0004NU-00; Wed, 20 Aug 2003 13:43:42 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19pWzm-0004NR-00; Wed, 20 Aug 2003 13:43:42 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pWz6-0000fm-EV; Wed, 20 Aug 2003 13:43:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pWyZ-0000er-8A for asrg@optimus.ietf.org; Wed, 20 Aug 2003 13:42:29 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA23033 for <asrg@ietf.org>; Wed, 20 Aug 2003 13:42:21 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19pWyX-0004M6-00 for asrg@ietf.org; Wed, 20 Aug 2003 13:42:25 -0400
Received: from escher.ties.org ([216.68.160.218]) by ietf-mx with esmtp (Exim 4.12) id 19pWyW-0004M3-00 for asrg@ietf.org; Wed, 20 Aug 2003 13:42:24 -0400
Received: from localhost (deven@localhost) by escher.ties.org (8.11.6/8.11.6) with ESMTP id h7KHgHD25905; Wed, 20 Aug 2003 13:42:20 -0400
From: "Deven T. Corzine" <deven@ties.org>
To: Yakov Shafranovich <research@solidmatrix.com>
cc: Andrew Akehurst <A.D.Akehurst-99@student.lboro.ac.uk>, asrg@ietf.org
Subject: Re: [Asrg] 6. Proposals - Challenge/response - CRI
In-Reply-To: <6.0.0.14.0.20030820114058.0273e1d0@solidmatrix.com>
Message-ID: <Pine.LNX.4.33.0308201326060.25117-100000@escher.ties.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
Date: Wed, 20 Aug 2003 13:42:17 -0400
On Wed, 20 Aug 2003, Yakov Shafranovich wrote: > > > I think the only really significant semantic suggestion I'm making > > > is that a hash of the body of a message should be included to > > > prevent forgeries of level-two systems. > > That has been mentioned before and is a pretty good idea. It also > alleviates some privacy concerns since the originating MTA/MUA does not > have to store copies of messages, but can store MD5 hashes instead. Using a hash is an obvious thing to do, but it begs the question of exactly what you're hashing. You can't safely hash the entire message because the headers change on every hop, at least for Received: lines. Other headers might be mangled or normalized as well. You can ignore the header, but it would be good to validate parts of it. Even if you just hash the body, you have to be concerned about the message being mangled by intermediate MTAs. Now, you could Base64-encode the content to protect it against mangling, but that renders the plaintext of the message unreadable. You could strip out all characters but the ones used for Base64 encoding, and hash that. Perhaps quoted-printable encoding would be another semi-readable option. PGP has to deal with this issue for "clear-signed" messages -- how does it address this issue? (Or does it depend on the body not getting mangled to be able to verify the signature?) Of course, another option is to simply use PGP. This seems the obvious answer for mailing lists -- the mailing list should clear-sign all valid messages with a private key used only for that mailing list, and have the user whitelist that PGP key (perhaps by keeping a copy signed with their own PGP key?) -- then no spammer could forge messages appearing to be from that mailing list... Deven _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- Re: [Asrg] 6. Proposals - Challenge/response - CRI John Fenley
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Deven T. Corzine
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean