[pycrypto] Quick and Easy Email Authentication
mads at kiilerich.com
Wed Feb 11 15:34:58 CST 2009
David MacQuigg wrote, On 02/11/2009 04:41 PM:
> RSA, maybe some way to do this with hashcodes? If we can solve this
> problem, it could lead to a robust, no-exceptions policy on
> authentication of SMTP mail sessions.
Such systems already exists, designed and peer reviewed by experts. The
primarily problem they face is acceptance - and the lack of acceptance
because of the trade-offs made to make the protocols acceptable. And
nobody with real-world need for email can rely on such protocols before
everybody else uses them, and thus there is no need to deploy the
protocols before everybody else uses them.
> Let me try to state the problem in more fundamental terms. A stranger
> says HELO this is f33faf76.mailout09.arizona.edu. The only other
> information you have to verify that claim is a DNS text record at
> mailout09.arizona.edu. That record can hold up to 480 bytes of text.
The DNS system is fundamentally broken and insecure. You shouldn't rely
on it at all. Secure DNS is really a must but unfortunately not widely
deployed, so we must rely on DNS for functionality but shouldn't rely on
it for security.
> criminals. More secure sites can add additional checks, including a
> digital signature on the entire message.
IMHO the right solution to the problem you are trying to solve lies in
that direction. Why try to find another and less perfect solution?
But ... this is a (silent) list for python crypto, not for protocol
design and email systems. Other lists might be more appropriate.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3435 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.dlitz.net/pipermail/pycrypto/attachments/20090211/5f5d77af/attachment.bin
More information about the pycrypto