IETF Logo Mail Archive

RE: [Asrg] C/R Interworking Framework

Art Pollard <pollarda@lextek.com> Mon, 16 June 2003 02:31 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA17121 for <asrg-archive@odin.ietf.org>; Sun, 15 Jun 2003 22:31:09 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5G2UgT12805 for asrg-archive@odin.ietf.org; Sun, 15 Jun 2003 22:30:42 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5G2Ufm12802 for <asrg-web-archive@optimus.ietf.org>; Sun, 15 Jun 2003 22:30:41 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA17104; Sun, 15 Jun 2003 22:30:38 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19RjjN-0006ZK-00; Sun, 15 Jun 2003 22:28:25 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19RjjN-0006ZH-00; Sun, 15 Jun 2003 22:28:25 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5FMk1a32446; Sun, 15 Jun 2003 18:46:01 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5FMjam32435 for <asrg@optimus.ietf.org>; Sun, 15 Jun 2003 18:45:36 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA13690 for <Asrg@ietf.org>; Sun, 15 Jun 2003 18:45:32 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19RgDY-0005kI-00 for Asrg@ietf.org; Sun, 15 Jun 2003 18:43:20 -0400
Received: from sccrmhc13.attbi.com ([204.127.202.64]) by ietf-mx with esmtp (Exim 4.12) id 19RgDY-0005kF-00 for Asrg@ietf.org; Sun, 15 Jun 2003 18:43:20 -0400
Received: from art.lextek.com (12-254-130-29.client.attbi.com[12.254.130.29](untrusted sender)) by attbi.com (sccrmhc13) with SMTP id <20030615224503016001jrd7e>; Sun, 15 Jun 2003 22:45:03 +0000
Message-Id: <5.1.0.14.2.20030615164648.057334d0@mail.1s.com>
X-Sender: PollardA@mail.1s.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
To: Asrg@ietf.org
From: Art Pollard <pollarda@lextek.com>
Subject: RE: [Asrg] C/R Interworking Framework
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Sun, 15 Jun 2003 16:46:55 -0600

At 01:49 PM 6/15/2003 -0400, you wrote:
>At 11:18 PM 6/14/2003 -0400, Eric D. Williams wrote:
>
>>On Monday, June 09, 2003 6:21 PM, Art Pollard [SMTP:pollarda@lextek.com] 
>>wrote:
>>8<...>8
>> > ... The CR system would filter based in the digital signature rather
>> > than the FROM address.
>>
>>A signature that signs what? or do you mean a 'hash' produced using a 
>>'senders'
>>private key?
>
>I think he meant a digital certificate issued by a third-part certificate 
>authority, not a digital signature.

Actually, I meant a digital signature. ;-)

Given a digital signature, one can be assured that the person who the mail 
says wrote the message actually wrote the message.  It will assist to 
prevent spoofing of the sender's information (such as when spammers search 
archives to figure out who knows who).

I envision when the whitelisting of an individual happens, their public key 
would be kept on record.  The public key could be given in the header of 
the message that passed the CR process.

Then if a new message comes in, the public key (again in the header) would 
be looked up to see if it has been whitelisted.  If it is not in the 
whitelist, a challenge would be sent.  If it is in the whitelist, then the 
message would be checked to ensure that the key and the signature match. If 
it passes then the message goes to the user.  If it does not pass, a 
challenge would be sent.

So, in a sense, the whitelisting would be based on the public key -- not on 
the e-mail address or user name or something forgable.

This avoids having a third party authority having to provide certificates 
for one person or another.  People could generate their own key sets.  And 
as long as they provided the same public/private keys to each account that 
they used then their previous whitelistings would go with them.

You do not need somebody to provide a certificate since the odds of having 
two people having the same public/private key pair are minimal and if there 
were a collision, there isn't much that a spammer could do about it.  And 
even if they could, it would only consist of spamming only a handful of 
people (like 1-100) -- not the millions that they are used to.  It just 
wouldn't be worth their time and effort.

I don't think that certificates through a third party that guarantee that 
someone is who they say they are are really worthwhile since all it takes 
is for someone dishonest to start handing out falsified certificates.  Or 
if a centralized certificate authorities were used, they would have a hard 
time keeping up with applications.

Instead, just let people generate their own public/private keys and don't 
pay attention to whether they are who they say they are as the CR system 
will weed out those who have malicious intent.

-Art
-- 
Art Pollard
http://www.lextek.com/
Suppliers of High Performance Text Retrieval Engines.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.31.3 | Report a Bug | By Email | System Status