Re: [Asrg] Proven solution for authenticating messages
Prasenjeet Dutta <bulk@chaoszone.org> Tue, 04 March 2003 07:20 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA08005 for <asrg-archive@odin.ietf.org>; Tue, 4 Mar 2003 02:20:36 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h247UvZ10555 for asrg-archive@odin.ietf.org; Tue, 4 Mar 2003 02:30:57 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h247Uvp10552 for <asrg-web-archive@optimus.ietf.org>; Tue, 4 Mar 2003 02:30:57 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA07996; Tue, 4 Mar 2003 02:20:05 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h247U2p10496; Tue, 4 Mar 2003 02:30:02 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h247TTp10436 for <asrg@optimus.ietf.org>; Tue, 4 Mar 2003 02:29:29 -0500
Received: from vesta (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA07978 for <asrg@ietf.org>; Tue, 4 Mar 2003 02:18:34 -0500 (EST)
Received: from [127.0.0.1] by vesta (ArGoSoft Mail Server, Version 1.8 (1.8.1.2)); Tue, 4 Mar 2003 12:50:28
Message-ID: <3E6453B9.2080905@chaoszone.org>
From: Prasenjeet Dutta <bulk@chaoszone.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030210
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: asrg@ietf.org
CC: mike.pearson@ssc.govt.nz
Subject: Re: [Asrg] Proven solution for authenticating messages
References: <7B170C5E4008D311ABB70008C7D3825B03BC340E@saison.ssc.govt.nz> <20030303213350.GA13559@danisch.de>
In-Reply-To: <20030303213350.GA13559@danisch.de>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 04 Mar 2003 12:50:25 +0530
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Hadmut Danisch wrote: > - Almost the same could be achieved by simply using the > STARTTLS command of ESMTP. Our rackland server is configured > to use it, but a view on the log files shows that extremely > few other servers support this. > > Why not simply use TLS if it already exists and is implemented? > Because people refuse to use it. It could also be because most PKI infrastructure is based on the X.509 model, which (though scalable) requires folk needing a certificate to cough up cash to CAs like Verisign. Also, for secure personal communication (as opposed to electronic commerce), PGP has been arguably far more popular than S/MIME. Especially given its free, bottom-up 'web of trust' model, PGP may well succeed where the top-down X.509 has not. Again, what is the goal of using TLS for email? Securing the messages? That opens up a new battle with the monitoring agencies. Or is it (from the anti-spam point of view) to let SMTP servers non-repudiably identify themselves? If this is the goal, then it can be done with far less overhead than TLS. Digital signatures inserted by the *server* (not by the user, who should not have to bother with the complexity of this) to identify *itself*, using an RFC 2440 infrastructure, may be more successful in making individual SMTP servers identifiable and accountable for what they spew onto the Internet. Consider this fragment: O: Received: from localhost by europa O: (Exim version 3.12 #1); Wed, 22 Jan 2003 07:10:06 O: Origin-Server-Identity: public-key; O: europa.uri.com (12.10.58.222) O: Origin-Server-Key: <mailto:osk+europa@uri.com> O: Origin-Server-Signature: rfc2440; encoding=base64 O: iQA/AwUAPi2tY1VioDO/jwwhEQIyrACg6HYQDh+ynXbfqSp+4hF3kfb6zQIAnRYN O: Ca1gPsBiRizLdYbtci4yVJRziQA/AwUAPi2tY1VioDO/jwwhEQIyrACg6HYQDh+y O: nXbfqSp+4hF3kfb6zQIAnRYNCa1gPsBiRizLdYbtci4yVJRz O: =1cuV O: Message-ID: <002b01c2c1b7$30889ab0$1c01010a@europa> Here, the Origin-Server-Identity and Origin-Server-Key is signed and the signature is placed inline in the Origin-Server-Signature header. This signature can even be created offline as a one-time affair. The recipient server (or a plug-in within it) would have to compare the stated origin server name/IP address with the actual server name/IP address, and check if the key is trusted, as well as for revocation. The best part is, given modern mail servers and their ability to run plug-ins, all of this is doable without any change to existing MTAs. No change is required to MUAs or users' email habits as well. -- Prasenjeet Dutta http://www.chaoszone.org/ _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Proven solution for authenticating messages mike.pearson
- Re: [Asrg] Proven solution for authenticating mes… Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating mes… Prasenjeet Dutta
- Re: [Asrg] Proven solution for authenticating mes… Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating mes… Prasenjeet Dutta
- Re: [Asrg] Proven solution for authenticating mes… Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating mes… Roland
- Re: [Asrg] Proven solution for authenticating mes… Prasenjeet Dutta
- Re: [Asrg] Proven solution for authenticating mes… Prasenjeet Dutta
- use of signatures is not restricted by law (Re: [… Adam Back
- Re: use of signatures is not restricted by law (R… Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating mes… Matthias Leisi
- Re: [Asrg] Proven solution for authenticating mes… Brad Templeton
- Re: use of signatures is not restricted by law (R… Adam Back
- Re: use of signatures is not restricted by law (R… Hadmut Danisch
- Re: [Asrg] Proven solution for authenticating mes… Vernon Schryver
- Re: use of signatures is not restricted by law (R… Adam Back
- RE: use of signatures is not restricted by law (R… Bob Wyman
- Re: use of signatures is not restricted by law (R… Hadmut Danisch
- Re: use of signatures is not restricted by law (R… Ben Laurie
- Re: use of signatures is not restricted by law (R… Brad Templeton