Paper on Email Authentication (Authorization really) (was - Re: Micorsoft's Sender ID Authentication......?)

• Previous message (by thread): Micorsoft's Sender ID Authentication......?
• Next message (by thread): Paper on Email Authentication (Authorization really) (was - Re: Micorsoft's Sender ID Authentication......?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 7 Jun 2005, Fergie (Paul Ferguson) wrote:

> > -- "william(at)elan.net" <william at elan.net> wrote:
> >
> > Since it appears NANOG continues to be used for mail-related discussions
> > and a some of what goes here is based on not understanding technologies
> > and issues involved, I'll make a link to a paper that I'm working on
> > available (when its ready) and it will hopefully be good information
> > to understand what's up in email authentication front and what each
> > technology can and can not do.
>
> That would be much appreciated. :-)

My paper on Email Security Anti-Spoofing Protection with Path and 
Cryptographic Authentication Methods is now available at
  http://www.metasignatures.org/path_and_cryptographic_authentication.htm

Printable PDF version of the paper (21 pages) is also available -
  http://www.metasignatures.org/Path_And_Cryptographic_Authentication.pdf

First parts (part 1-4) are an overview of the various email anti-spoofing 
technology proposals that were proposed (in IETF or IRTF ASRG) in the 
last 2-3 years, what email identities they focus on, their interactions 
and differences in proposals because of that. It should be easy enough for 
NANOG readers to read and understand even if you're not mail expert.

In part 5, I also go through why none of the proposals are really "anti-spam" 
and promotion of the methods as such is misleading. There are also chapters
on Accreditation and Reputation (including section on spamhaus .MAIL) and 
"authorization vs authenticity" question that has been raised by some when 
criticizing path authentication technologies like SPF - I explain that is 
really problem for both path and cryptographic proposals and its tied to 
question on if mail servers are "enforcing submission rights" at mail origin.

Part 6 may or may not be of interest here and is result of my research
presenting proposal on how to use cryptographic signatures to correct
for SPF failures after forwarding and allow for safe rejection based on 
SPF records.


Note:
  Some people reported that PDF version is not readable in all circumstances,
in that case send me note privately when that happens with specs for your 
system, PDF reader version & OS and I'll try to get an idea of what needs 
to be corrected. Note that PDF is really just printout of html version
so if it does not work, read the original. In general if you know good
way to create PDF out of HTML for documents such as mine (perfect if it 
could insert page numbers into table of contents), let me know privately.

-- 
William Leibzon
Elan Networks
william at elan.net

• Previous message (by thread): Micorsoft's Sender ID Authentication......?
• Next message (by thread): Paper on Email Authentication (Authorization really) (was - Re: Micorsoft's Sender ID Authentication......?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]