Re: Micorsoft's Sender ID Authentication......?
That would be much appreciated. :-) - ferg -- "william(at)elan.net" <william@elan.net> wrote: Since it appears NANOG continues to be used for mail-related discussions and a some of what goes here is based on not understanding technologies and issues involved, I'll make a link to a paper that I'm working on available (when its ready) and it will hopefully be good information to understand what's up in email authentication front and what each technology can and can not do. -- William Leibzon Elan Networks william@elan.net
On Tue, 7 Jun 2005, Fergie (Paul Ferguson) wrote:
-- "william(at)elan.net" <william@elan.net> wrote:
Since it appears NANOG continues to be used for mail-related discussions and a some of what goes here is based on not understanding technologies and issues involved, I'll make a link to a paper that I'm working on available (when its ready) and it will hopefully be good information to understand what's up in email authentication front and what each technology can and can not do.
That would be much appreciated. :-)
My paper on Email Security Anti-Spoofing Protection with Path and Cryptographic Authentication Methods is now available at http://www.metasignatures.org/path_and_cryptographic_authentication.htm Printable PDF version of the paper (21 pages) is also available - http://www.metasignatures.org/Path_And_Cryptographic_Authentication.pdf First parts (part 1-4) are an overview of the various email anti-spoofing technology proposals that were proposed (in IETF or IRTF ASRG) in the last 2-3 years, what email identities they focus on, their interactions and differences in proposals because of that. It should be easy enough for NANOG readers to read and understand even if you're not mail expert. In part 5, I also go through why none of the proposals are really "anti-spam" and promotion of the methods as such is misleading. There are also chapters on Accreditation and Reputation (including section on spamhaus .MAIL) and "authorization vs authenticity" question that has been raised by some when criticizing path authentication technologies like SPF - I explain that is really problem for both path and cryptographic proposals and its tied to question on if mail servers are "enforcing submission rights" at mail origin. Part 6 may or may not be of interest here and is result of my research presenting proposal on how to use cryptographic signatures to correct for SPF failures after forwarding and allow for safe rejection based on SPF records. Note: Some people reported that PDF version is not readable in all circumstances, in that case send me note privately when that happens with specs for your system, PDF reader version & OS and I'll try to get an idea of what needs to be corrected. Note that PDF is really just printout of html version so if it does not work, read the original. In general if you know good way to create PDF out of HTML for documents such as mine (perfect if it could insert page numbers into table of contents), let me know privately. -- William Leibzon Elan Networks william@elan.net
On 06/13/05, "william(at)elan.net" <william@elan.net> wrote:
In part 5, I also go through why none of the proposals are really "anti-spam" and promotion of the methods as such is misleading.
No matter how the authors may "promote" their methods, most people don't perceive that there's any great separation between anti-spam and anti-forgery techniques. As far as they're concerned, all e-mail threats are basically the same. E-mail authentication's promise is that it will improve the overall state of the global e-mail infrastructure. Chopping that into smaller bits may be a fun intellectual exercise, but it doesn't help explain what's going on to anyone outside of our fairly small technology-focused circles. -- J.D. Falk blong! you are a pickle! <jdfalk@cybernothing.org>
On Mon, 13 Jun 2005, J.D. Falk wrote:
On 06/13/05, "william(at)elan.net" <william@elan.net> wrote:
In part 5, I also go through why none of the proposals are really "anti-spam" and promotion of the methods as such is misleading.
No matter how the authors may "promote" their methods, most people don't perceive that there's any great separation between anti-spam and anti-forgery techniques. As far as they're concerned, all e-mail threats are basically the same.
This attitude is exactly playing in the hands of DMA which wants to make it seem like spam is only those UBE with forged origin data.
E-mail authentication's promise is that it will improve the overall state of the global e-mail infrastructure. Chopping that into smaller bits may be a fun intellectual exercise, but it doesn't help explain what's going on to anyone outside of our fairly small technology-focused circles.
Chopping off complex issue into pieces which can be worked and looked at separate is exactly the approach that has very often been used in research, engineering, politics/diplomacy and many other areas. This is no different and should be easy enough to explain to non-technical folks. -- William Leibzon Elan Networks william@elan.net
On 06/13/05, "william(at)elan.net" <william@elan.net> wrote:
No matter how the authors may "promote" their methods, most people don't perceive that there's any great separation between anti-spam and anti-forgery techniques. As far as they're concerned, all e-mail threats are basically the same.
This attitude is exactly playing in the hands of DMA which wants to make it seem like spam is only those UBE with forged origin data.
I'm not describing my own attitude above, so you can stop being insulting. What I've described is a common perception held by end-user types. I'm not saying their perceptions are correct, I'm just saying they exist and shouldn't be ignored. This is moving further off-topic, so I'll leave it at that. -- J.D. Falk blong! you are a pickle! <jdfalk@cybernothing.org>
participants (3)
-
Fergie (Paul Ferguson) -
J.D. Falk -
william(at)elan.net