yahoo to use public key technology for anti-spam

Sidney Markowitz sidney at sidney.com
Mon Dec 8 11:56:48 EST 2003 

ck at kuckuk.com wrote:
> Does anybody know what has become of the low-tech,
> no-cryptography-needed RMX DNS record entry proposal?

A google search for "rmx dns" without quotes brings up as its first hit 
the Internet Draft at IETF which is dated October 2003. The subsequent 
hits show lots of discussion about it.

You might also be interested in http://spf.pobox.com which seems to be a 
similar proposal that extends the MX record rather than define a new rmx 
record.

To bring it back to the cryptography topic of this list, the draft 
proposal for rmx brings up a problem with crypto solutions that I did 
not see mentioned here yet. I'll just quote the relevant paragraph from 
the Draft rather than summarize it. Note that the draft states that it 
specifies only non-cryptographic mechanisms but still allows use of 
cryptography.

[begin quote]
2.4.  Shortcomings of cryptographical approaches

  At a first glance, the problem of sender address forgery might
  appear to be solvable with cryptographic methods such as challenge
  response authentications or digital signatures. A deeper analysis
  shows that only a small, closed user group could be covered with
  cryptographical methods. Any method used to stop spam forgery must
  be suitable to detect forgery not only for a small number of
  particular addresses, but for all addresses on the world. An
  attacker does not need to know the secrets belonging to a
  particular address. It is sufficient to be able to forge any
  address and thus to know any secret key. Since there are several
  hundreds of millions of users, there will always be a large amount
  of compromised keys, thus spoiling any common cryptographic method.
  Furthermore, cryptography has proven to be far too complicated and
  error prone to be commonly administered and reliably implemented.
  Many e-mail and DNS administrators do not have the knowledge
  required to deal with cryptographic mechanisms. Many legislations
  do not allow the general deployment of cryptography and a directory
  service with public keys. For these reasons, cryptography is
  applicable only to a small and closed group of users, but not to
  all participants of the e-mail service.
[end quote]

  -- sidney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list