Re: [Asrg] 6. Proposals - Challenge/response - CRI
Yakov Shafranovich <research@solidmatrix.com> Wed, 20 August 2003 15:43 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15770 for <asrg-archive@odin.ietf.org>; Wed, 20 Aug 2003 11:43:40 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pV7D-0002SV-Q0 for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 11:43:16 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h7KFhFqg009445 for asrg-archive@odin.ietf.org; Wed, 20 Aug 2003 11:43:15 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pV7D-0002SG-Lm for asrg-web-archive@optimus.ietf.org; Wed, 20 Aug 2003 11:43:15 -0400
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15731; Wed, 20 Aug 2003 11:43:09 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pV61-0002IR-Ml; Wed, 20 Aug 2003 11:42:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19pV5Q-0002Fb-I9 for asrg@optimus.ietf.org; Wed, 20 Aug 2003 11:41:24 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15564 for <asrg@ietf.org>; Wed, 20 Aug 2003 11:41:17 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19pV5P-0002Rx-00 for asrg@ietf.org; Wed, 20 Aug 2003 11:41:23 -0400
Received: from [68.27.159.83] (helo=68.27.159.83 ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19pV5L-0002RQ-00 for asrg@ietf.org; Wed, 20 Aug 2003 11:41:20 -0400
Message-Id: <6.0.0.14.0.20030820114058.0273e1d0@solidmatrix.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.14 (Beta)
To: Andrew Akehurst <A.D.Akehurst-99@student.lboro.ac.uk>, asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: Re: [Asrg] 6. Proposals - Challenge/response - CRI
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/asrg/>
Date: Wed, 20 Aug 2003 11:40:59 -0400
At 04:48 AM 8/20/2003, Andrew Akehurst wrote: >Hello everyone > >Some forwarded further reaction to the CRI proposal here from David. >I've had a few ideas myself over the past couple of days and I'll be >posting them shortly. > >Thanks > >Andrew > >----- Forwarded message from david nicol <whatever@davidnicol.com> ----- > > > > I think it's too complex and fiddles with too many preexisting > > protocols. > > Keep in mind that CRI is a larger subset of the general protocol used to exchange consent tokens - CRI is a subset used for C/R system. There are many problems with creating new protocols and structures, and various issues involved. One of them is backwards compatibility which CRI accomplishes by providing a section of the message that is intended for human beings. > >.......... > > I am opposed to level three. As computing power keeps increasing, > > as well as the availability of human brains, when properly organized, > > turing test systems become useless. > > Someone has pointed this issue out before and we had even tried to calculate how much it would cost to create software that lets spammers hire cheap labor and quickly reply to messages. Labor costs were also taken into account. HOWEVER, keep in mind that in order to answer any form of C/R challenge or exchange consent tokens via C/R, the spammers MUST use a valid return email address. That already brings us to a closer solution for traceability of spam. > > I think a good thing to agree on might be an XML DTD for challenges > > and responses, which could be embedded into a human-readable > > challenge message that states the same thing as the XML challenge, > > for those users (initially everyone) who do not use a CRI-enabled > > MUA. > > XML might be used for the machine readable body of the message but you would still need MIME headers and an ESMTP extension in order to make this work in the world of email. As for the DTD, I believe that the general consent token exchange protocol is a larger superset of CRI, and could be used to define the generic format for consent tokens, which then can be used by CRI in this specific context. Additionally, IANA registry considerations must be taken into account if we want consent token types to be consistent across the Internet. > > What information would beed to be in there, to have level two > > functionality? Last night I came up with what I believe is a > > workable set: > > > > 1: message-ID of the message in question. Message-IDs are generated > > by the MUA (well they can be) and the MUA can remember which ones it > > generated. Message-ID alone allows a valid Message-ID to be attached > > to an invalid message, so Message-ID is not sufficient. > > That is assuming the MUA is the one repling to the challenge. Many times it is possible that the intermediate MTA would do so, and in that case, it would have to memorize the message IDs. > > 2: MD5 hash of the body of the message. By including this information, > > it is only possible to forge a message that was actually sent. > > > > 3: subject line. It appears in the header, not the body, and it > > is good to include the subject line in human-readable forms. > >............ > > __END__ > > > > > > I suppose this could all be done with headers instead of > > a block in the message body, but headers often get lost. > > > > CRI as it is now would require a multi-part MIME message with the headers located inside the machine readable message block. > > > > I think the only really significant semantic suggestion I'm making > > is that a hash of the body of a message should be included to > > prevent forgeries of level-two systems. > > That has been mentioned before and is a pretty good idea. It also alleviates some privacy concerns since the originating MTA/MUA does not have to store copies of messages, but can store MD5 hashes instead. _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Andrew Akehurst
- Re: [Asrg] 6. Proposals - Challenge/response - CRI John Fenley
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Yakov Shafranovich
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI Deven T. Corzine
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- Re: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean
- RE: [Asrg] 6. Proposals - Challenge/response - CRI david nicol
- RE: [Asrg] 6. Proposals - Challenge/response - CRI Eric Dean