Re: [dns-wg] DNS RMX records - e-mail sender authorization
- Date: Thu, 16 Oct 2003 09:27:49 +0200
On Wed, Oct 15, 2003 at 02:53:01PM +0200, Brad Knowles wrote:
> At 1:41 PM +0200 2003/10/15, hadmut@localhost wrote:
>
> > I see. Would you mind if I use "From: bortzmeyer@localhost" when I am at
> > home?
>
> You can use whatever you want. There's nothing anyone can do to
> stop you. Moreover, the header "From:" is totally unrelated to the
> envelope sender address, and there's nothing in your proposal, or any
> similar proposal, that could successfully keep clever people from
> doing this sort of stuff anyway.
Two replies:
- So why is Stephane complaining that these proposals would break his
ability to use "From: bortzmeyer@localhost" ? In fact, none of the
proposals would stop him from doing so, but since he complained
about this emotionally, I tried to pick up his argument the same
way. People should read and understand a draft before attacking it.
- The proposals are not intended to stop anyone from forging the
From: line for several technical reasons, they are intended to
stop forging the envelope sender address. There are very good
reasons to do it this way, especially the different semantics of
those addresses. The From: line specifies the author of the mail,
the envelope address specifies the initiator of the transport.
These addresses are not necessarily the same in reality. In many
cases they can differ legaly, e.g. for list processors, forwarding,
bouncing,...
However, if such a mail turns out to be forged (i.e. it has not
been written by the sender specified in the From: line) or is
any kind of fraud, worm, virus,... then it needs to be tracked back
to where it came from to identify the _sender_ . There is no
technical way to verify the author, except for cryptographical
signatures, which are undeployable in a world wide scale.
But there is a way to do a light weight verification of the
sender of the message by checking the authorization. That's what
RMX and the RMX-like proposals do.
You need to understand the technical, legal and semantical
difference between sender and author. Otherwise you're lost.
> Of course, keep in mind that recent viruses have used legitimate
> local e-mail addresses to send copies of themselves to people in that
> person's address book. You certainly shouldn't be able to prevent
> him from being able to use "From: bortzmeyer@localhost" when it's his
> own machine sending mail from his own MUA, assuming he were
> vulnerable to this sort of thing.
That's a very bad argument.
- Even if he is the owner of his machine, this does not automatically
mean that his is the owner of this particular domain or address.
That's how emotions work, but security does not work this way.
Being authorized to use a particular address does have nothing to do
whether someone is the owner of a particular computer. I am right
now using a computer to write this e-mail which I don't own. So what?
To invent e-mail security, there must be a technical difference
between those who are authorized to use an address and those who are
not. This difference must be detectable by receivers. That's how
security works.
Would you prefer to ask every sender of an e-mail message whether
he can show a purchase receipt for the computer to prove that he
is the legitimate owner? Think about it. The being-the-owner-of-the-
machine argument is nonsense.
- If the virus needs to use a legitimate address, then any
error messages of virus filter will be sent back to the
person responsible for that machine, and the machine can
be fixed or taken offline. This is not possible if the error
messages are sent to the wrong address.
- I and many other people are currently drowning in error messages
from relays which received worm messages with my/their domain
as a sender address. This is a much bigger problem than the
worms themselves. RMX will stop this imediately.
Hadmut
|
you are here: RIPE -> RIPE Maillists > Archives
