Re: Randomness of Message-ID in IMDN

Eric Rescorla <ekr@networkresonance.com> Thu, 15 May 2008 18:50 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 64C3C3A6972; Thu, 15 May 2008 11:50:05 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D99A3A6972; Thu, 15 May 2008 11:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[AWL=0.616, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMh3ReGFe-De; Thu, 15 May 2008 11:50:02 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id B46473A6895; Thu, 15 May 2008 11:50:02 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 6BA8F5081A; Thu, 15 May 2008 11:53:34 -0700 (PDT)
Date: Thu, 15 May 2008 11:53:34 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
Subject: Re: Randomness of Message-ID in IMDN
In-Reply-To: <g0hor4$frm$2@ger.gmane.org>
References: <20080503211234.0377B5081A@romeo.rtfm.com> <C5B56A4A-1901-41F6-B47E-C04F51D813E6@standardstrack.com> <20080514154217.28E375081A@romeo.rtfm.com> <28AB2CB7-DE19-42B0-906C-2D900FEDFB1A@standardstrack.com> <20080514172556.2819F5081A@romeo.rtfm.com> <g0hor4$frm$2@ger.gmane.org>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080515185334.6BA8F5081A@romeo.rtfm.com>
Cc: ietf@ietf.org, simple@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

At Thu, 15 May 2008 18:37:51 +0200,
Frank Ellermann wrote:
> 
> Eric Rescorla wrote:
> 
> > As I understand the situation, the sender the only person
> > who has to rely on the uniqueness of this header, right?
> 
> Hi, I have not the faintest idea what you are talking about,
> but if it is in any way related to the 2822upd concept of
> a Message-ID "worldwide unique forever" is no nonsense as
> soon as a Message-ID passes mail2news gateways, and/or is
> used in an Archived-At URL.

I admit that I only spent a little while examining this, so
perhaps Eric Burger can give a more definitive answer. However,
looking at the examples in -07, it sure looks to me like
message ids are not intended to be globally unique forever,
since, since they're way too short.


> | The Message-ID header field contains a unique message identifier.
> | Netnews is more dependent on message identifier uniqueness and fast
> | comparison than Email is
> [...]
> | The global uniqueness requirement for <msg-id> in [RFC2822]
> | is to be understood as applying across all protocols using
> | such message identifiers, and across both Email and Netnews
> | in particular.
> 
> > (2) It is prohibitive for an attacker who has seen one or more
> > valid  Message-IDs to generate additional valid Message-IDs.
> 
> That would match pseudo-random number, but a "worldwide unique
> forever" Message-ID can boil down to timestamp @ domain (plus
> magic to avoid collisions for various Message-ID generators
> for a given domain or subdomain).

I'm not sure I get the point you're trying to make here. Yes,
if you want to have unforgeability this is a stronger requirement
than worldwide uniquness.

-Ekr




_______________________________________________
IETF mailing list
IETF@ietf.org
https://www.ietf.org/mailman/listinfo/ietf