Re: Machine Identity

Jeroen Massar <> Thu, 28 February 2008 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1876428C881; Thu, 28 Feb 2008 09:53:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VFSuJ8WKXkXk; Thu, 28 Feb 2008 09:53:23 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id D1FDF28C5AC; Thu, 28 Feb 2008 09:53:23 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D7F528C1AB for <>; Thu, 28 Feb 2008 09:53:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 90WZk2fAWUv7 for <>; Thu, 28 Feb 2008 09:53:16 -0800 (PST)
Received: from ( [IPv6:2001:41e0:ff00:0:216:3eff:fe00:4]) by (Postfix) with ESMTP id 3007328C4AB for <>; Thu, 28 Feb 2008 09:52:23 -0800 (PST)
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] ( [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by (Postfix) with ESMTPSA id CAD4F40202D; Thu, 28 Feb 2008 18:52:14 +0100 (CET)
Message-ID: <>
Date: Thu, 28 Feb 2008 18:52:19 +0100
From: Jeroen Massar <>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20080213 Thunderbird/ Mnenhy/
MIME-Version: 1.0
Subject: Re: Machine Identity
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig438909844FAB0C7D9D53A448"
X-Virus-Scanned: ClamAV version 0.92.1, clamav-milter version 0.92.1 on
X-Virus-Status: Clean
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: general discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Dave Crocker wrote:
> Jeroen Massar wrote:
>> Stephane Bortzmeyer wrote:
>>> On Tue, Feb 26, 2008 at 10:37:06AM -0800,
>>>  Dave Crocker <> wrote  a message of 31 lines which 
>>> said:
>>>>    Why isn't a Domain Name sufficient to the purpose you have in mind?
>>> I agree with the reasons given by Keith Moore (a machine does not
>>> control its domain name).
>> More importantly: the service can't be anonymous then.
> 1. The stateed use is for application of policies, such as access 
> control.  How can that be done in the face of anonymity?

Anonymity in that nothing is registered and can't directly be correlated 
to a certain person (of course you can track IP addresses and use that 
etc to look in other log files etc).

If you take for instance an SSH key. This SSH key 'proves' that the SSH 
service that has the private key, is the same one as the one you talked 
to last time. Still it is quite anonymous, as you don't have any hooks 
to domain names or other details where whois comes into play.

> 2. In other words, please specify the details of anonymity that you 
> require.

Nothing is truly anonymous, ever. If somebody wants to find out who you 
are they will find out, if you like it or not.

> 3. Please look at:
>    <>
> specifically sections 3.1.5,

That is what I meant with 1)

DKIM indeed 'comes up' with a pub/priv keypair out of thin air, like 
SSH. When you talk to the host again you do know that you are talking to 
the same host and not a different one, but they are still anonymous.