yahoo to use public key technology for anti-spam
Sidney Markowitz
sidney at sidney.com
Mon Dec 8 11:56:48 EST 2003
ck at kuckuk.com wrote:
> Does anybody know what has become of the low-tech,
> no-cryptography-needed RMX DNS record entry proposal?
A google search for "rmx dns" without quotes brings up as its first hit
the Internet Draft at IETF which is dated October 2003. The subsequent
hits show lots of discussion about it.
You might also be interested in http://spf.pobox.com which seems to be a
similar proposal that extends the MX record rather than define a new rmx
record.
To bring it back to the cryptography topic of this list, the draft
proposal for rmx brings up a problem with crypto solutions that I did
not see mentioned here yet. I'll just quote the relevant paragraph from
the Draft rather than summarize it. Note that the draft states that it
specifies only non-cryptographic mechanisms but still allows use of
cryptography.
[begin quote]
2.4. Shortcomings of cryptographical approaches
At a first glance, the problem of sender address forgery might
appear to be solvable with cryptographic methods such as challenge
response authentications or digital signatures. A deeper analysis
shows that only a small, closed user group could be covered with
cryptographical methods. Any method used to stop spam forgery must
be suitable to detect forgery not only for a small number of
particular addresses, but for all addresses on the world. An
attacker does not need to know the secrets belonging to a
particular address. It is sufficient to be able to forge any
address and thus to know any secret key. Since there are several
hundreds of millions of users, there will always be a large amount
of compromised keys, thus spoiling any common cryptographic method.
Furthermore, cryptography has proven to be far too complicated and
error prone to be commonly administered and reliably implemented.
Many e-mail and DNS administrators do not have the knowledge
required to deal with cryptographic mechanisms. Many legislations
do not allow the general deployment of cryptography and a directory
service with public keys. For these reasons, cryptography is
applicable only to a small and closed group of users, but not to
all participants of the e-mail service.
[end quote]
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list