headers
Hallam-Baker, Phillip | 1 Dec 2004 01:01
Picon
Favicon

RE: Attacking Domain Keys


> -----Original Message-----
> From: owner-spf-discuss <at> v2.listbox.com 
> [mailto:owner-spf-discuss <at> v2.listbox.com] On Behalf Of Seth Goodman
> HMAC-SHA1 is a form of MAC, as I'm sure you'll agree.  SES 
> uses HMAC-SHA1 signatures and SHA-1 digests, so it seems to 
> meet your exception. Apparently, it is possible to have a 
> signature scheme that is less complex and costly than RSA.

And as I pointed out, a symmetric keyed MAC algorithm does not work for the
problem that DK is addressing.

The use in SES is only possible because the signature only needs to be
verified by the party that generated it. It is possible to apply similar
techniques in the manner of Kerberos and SSL but these are both complex
mult-trip protocols that would require an entire redesign of the email
communication protocol to make use of.

The use of these techniques was not rejected through ignorance of them as
you appear to believe. 

> Non-existent?  SPF-Discuss has archives and so does 
> SES-Devel.  Read the archives, search under my name and SES 
> and please stop the name-calling.

If you give no hint as to the context then there is no way that I can tell
what you might be referring to.

I have been designing crypto protocols for over a decade. You do not have
the standing in that community to dismiss others with 'go read the
(Continue reading)

Permalink | Reply | 2 comments |
headers
Greg Connor | 1 Dec 2004 01:22

Re: RESULTS of the VOTE FOR THE SPF COUNCIL - plus, recording officers statement

On Tue, 30 Nov 2004, william(at)elan.net wrote:

> 
> Also FYI - the following people voted for themselve:
>  Meng Weng Wong
>  Chuck Mead
>  Julian Mehnle
>  Shevek
> And 3 of them are in top 5 (and I voted for 2 of them too). 

I personally don't have a problem with someone voting for himself.  I don't 
think it's improper or bad taste to be part of the voting membership and to 
consider oneself among the top five.  After all, if you are looking for 
candidates whose views are a close match for your own, "your own" is a really 
good match.

I didn't do so for personal reasons -- basically I didn't have a strong enough
preference between "SPF council with me in it" and "SPF council without me in
it".  The council will be successful based on other factors, I'm sure :)  I'm 
happy with the final selection.

(Anyway it's kind of a moot point since the outcome wasn't close enough for
one vote to make the difference.)

--
Greg Connor
gconnor <at> nekodojo.org

Everyone says that having power is a great responsibility.  This is a lot
of bunk.  Responsibility is when someone can blame you if something goes
(Continue reading)

Permalink | Reply | 9 comments |
headers
Greg Connor | 1 Dec 2004 01:44

RE: Re[2]: OT: education needed

On Tue, 30 Nov 2004, David Woodhouse wrote:

> On Tue, 2004-11-30 at 09:14 +0000, Richard Bang wrote:
> > Our MTA goes one further. It will only resolve to a domain if the admin has
> > specifically bound the IP to a domain. Otherwise it always fails.
> 
> The _only_ working localpart at the IPv4 or IPv6 literal domains of my
> mail servers is postmaster <at> .
> 
> There's no requirement that anything else should work, and certainly no
> requirement that a given localpart at any or all of the virtual domains
> hosted on any given box shall map to the same destination mailbox or
> forwarding address as each other or to the same destination as the same
> localpart at an IP literal domain.

I would actually go one step further and say that you don't really have to 
accept mail for ip literals like  <at> [123.4.5.6].  If there is a requirement to 
accept such mail I don't think I have seen it.

I believe that if you choose to send mail FROM such a domain, it should be 
considered valid syntax by the receiver.  For example, if you don't have a 
domain name at all, or the sending server doesn't know its own domain name, it 
can still send out using an address literal.  (If you can't afford a lawyer, 
one will be provided to you by the court, but he might smell funny.)

I believe that if you send mail OUT using such a suffix, then you ought to be 
able to accept return of that mail, and be able to accept postmaster <at> [x] if 
you have used [x] as an ip literal in outgoing mail in the last 90 days.  I 
think that if you don't use ip literals in outgoing mail, there's no need to 
accept them.
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Woodhouse | 1 Dec 2004 02:16
Favicon

RE: Re[2]: OT: education needed

On Tue, 2004-11-30 at 16:44 -0800, Greg Connor wrote:
> I would actually go one step further and say that you don't really have to 
> accept mail for ip literals like  <at> [123.4.5.6].  If there is a requirement to 
> accept such mail I don't think I have seen it.

Nothing more than §4.5.1 of RFC2821, which says "SMTP systems are
expected to make every reasonable effort to accept mail directed to
Postmaster from any other system on the Internet."

Since it's trivial for me to accept mail to postmaster <at>  IP literals I
choose to do so. If people have cause to enquire about a specific mail
server of mine they may want to use that address. They may not be able
to just connect directly to its port 25 and issue RCPT TO:<postmaster>;
they may be behind a firewall which blocks direct access to port 25 and
forces them to use a smarthost.

I wouldn't necessarily suggest that you MUST do so, but I'd certainly
suggest that you read §4.5.1 and §4.1.3 carefully before deciding not
to.

--

-- 
dwmw2
Permalink | Reply | 0 comments |
headers
Stephen Pollei | 1 Dec 2004 02:54
Picon

RE: Attacking Domain Keys

On Mon, 2004-11-29 at 18:45, Hallam-Baker, Phillip wrote:
> > From: owner-spf-discuss <at> v2.listbox.com 
> > [mailto:owner-spf-discuss <at> v2.listbox.com] On Behalf Of Stephen Pollei
> 
> > On Mon, 2004-11-29 at 12:42, Hallam-Baker, Phillip wrote:
> > > The fact is that we are going to need BOTH SPF and DK to 
> > address all 
> > > the email authentication requirements that are out there. For 
> > > messaging convenience I try to encourage people to push SPF as an 
> > > anti-spam solution and DK in the anti-phishing area but we will 
> > > actually need both in both problems.
> > I don't see that SPF, DK, or IIM as being directly anti-spam 
> > or anti-phish... All of those are anti-forgery. Further I 
> > think that even a little bit of anti-forgery can work some 
> > wonders.

> Agreed, but remember the constraints we are working under here. The media
> cannot accept a complex, subtle message, they get easily confused.
So I won't allow the "media" to dictate technical decisions to me.

> SPF is sufficient for the aspen framework for eliminating spam. DK is a good
> platform to address many of the problems with phishing, but that does not
> mean that the two are not complimentary since phishing is still a form of
> spam and reducing spam is beneficial in stopping phishing.

I also agree that public-key cryptography can add much value to just
using spf to catch the most blatant fraud/phish attempts. IMHO However
when to comes to phish/fraud scenarios I don't think DK adds much value
over just using spf. I have a two part reasoning for this assertion.
(Continue reading)

Permalink | Reply | 0 comments |
headers
M Z R | 1 Dec 2004 04:09
Picon

Broken SPF implementation

Hi Guys,

Is there a dedicated list or entity where broken SPF implementation
(both publishing and checking) can be reported?

I got this guy rejecting every domain with "-all" stating that the
mail came from an arbitrary IP (10.65.65.1). The following will
explain:

   ----- The following addresses had permanent fatal errors -----
<xxxxx <at> stream-net.com>
    (reason: 550 10.65.65.1 does not pass SPF requirements for domain
xxx <at> qalacom.com)

   ----- Transcript of session follows -----
... while talking to mail.stream-net.com.:

>>>>>> MAIL From:<xxx <at> qalacom.com> SIZE=4139

<<< 550 10.65.65.1 does not pass SPF requirements for domain xxx <at> qalacom.com
554 5.0.0 Service unavailable

Anybody who is publishing with "-all" can verify that this guy is
reporting the IP "10.65.65.1" as the sending host for all domains that
terminates with "-all". I already sent email to the post master of the
server.

Regards,

MZR
(Continue reading)

Permalink | Reply | 0 comments |
headers
wayne | 1 Dec 2004 04:13

Thoughts on the next steps for the council

In <01a001c4d6c0$cf3f17e0$dfea243e <at> idimo2> "jpinkerton" <johnp <at> idimo.com> writes:

> Unless there are any serious objections to the votes cast, the result is
> clear :-
>
> The council will be formed by these people:-
>
>  Meng_Weng_Wong
>  Wayne_Schlitt
>  Chuck_Mead
>  Mark_asarian-host.net
>  Julian_Mehnle

Cool!  I think we have made a significant step forward in becoming
more organized.  IMHO, having over 150 people vote is very
significant, seeming as there are only around 150 unique posters in
the last 2 months, and many are just people wandering in to ask a
question and such.

As I see it, the council is here to resolve issues and be able to
quickly give definitive voice to all of us.  All the real work still
has to be done outside the council, so for the most part things really
haven't changed.  Work will get done by people who actually do the
work, whether they have the blessing of the council or not.  All the
council does is save us from a week of debate on the list, followed by
days of running an ad-hoc poll.

In order to take the next steps to become more organized, I see doing
following things:
(Continue reading)

Permalink | Reply | 4 comments |
headers
Chuck Mead | 1 Dec 2004 04:17

SPF Council Mailing List

I have set up a mailing list for the new SPF Council. The subscription 
point is here:

http://moongroup.com/mailman/listinfo/spf-council

There is a link to the archives there as well. As a courtesy anyone may 
join the list but only current council members may post. You may choose 
to simply view the archives... they will be public.

--

-- 
csm <at> moongroup.com, head geek
http://moongroup.com
Permalink | Reply | 3 comments |
headers
Frank Ellermann | 1 Dec 2004 07:22
Picon
Picon

Re: Thoughts on the next steps for the council

wayne wrote:

> 1) Set up a publicly readable mailing list, which only the
> council members can post to.

Chuck apparently did this, a GMaNe read only subscription
should hit him within the next hours.

> 4) Decide what we want to do about the SPF I-D.

Yes, a.s.a.p. please.

> 5) Decide what we want to do about an "official" website.

<sigh>

> Meng is off in San Francisco right now, and Julian won't be
> back until Thursday.

And John reserved time for challenges, it's okay if you start
2004-12-03 21:00:00Z giving Julian one hour to catch up... ;-)

                     Bye, Frank
Permalink | Reply | 1 comment |
headers
Frank Ellermann | 1 Dec 2004 07:31
Picon
Picon

OT (was: Attacking Domain Keys)

Hallam-Baker, Phillip wrote:

> I have been designing crypto protocols for over a decade.

BTW, I sent a question about 2069 to you and another author
some weeks ago by mail, but got no answer.  I'll submit it
to the "errata" if nothing else happens, it's no big issue.  

                           Bye, Frank
Permalink | Reply | 0 comments |

Gmane