No Time Like the Present for Next-Generation Authentication

By Larry Seltzer  |  Posted 2004-09-23 Print this article Print

Opinion: Forget all the clamor for IP-based authentication plans like MARID. It's all a waste of time when the long-term, cryptography-based solution is close at hand.

Now that the Internet Engineering Task Forces MARID (MTA Authorization Records In DNS) standards process has collapsed—without even the hint of a consensus—its time to think about the future. Perhaps the best solution is to abandon the Tower of Babel that surrounds the current IP-based authentication systems and move straight to the next generation: a cryptographic approach. All of the authentication designs considered by MARID were IP-based, meaning they attempted to determine if the IP address of the sender was an authorized sender for a particular domain. The disagreements were over which address to authenticate, at which stage of the process, and so on.

There are a number of well-known and common problems with IP-based solutions, starting with reliability. Not one of the standards under consideration was clearly more reliable than the others, which is why there was no consensus among the working group. Worse, all of the candidates were unreliable when e-mail comes from more than one hop away. While it turns out that the vast majority of e-mail reaches its destination in a single hop, still, thats a big problem.

Some of the smartest people involved in this process have said all along that for the long term cryptography-based solution will be needed. With this approach, the mail sender signs some specific portion of the message (including headers) with their private key and puts their public key in the DNS for others to find. Recipients retrieve this public key and use it to prove that the mail did indeed come from the domain it purports to come from and that it hasnt been tampered with.

However, just as with IP-based authentication, crypto-authentication only proves where the message came from, not that it is, or is not, spam. It is just as reliant as IP-based solutions on reputation and accreditation systems to create real antispam systems.

Next page: Yes, there is too a cryptography-based solution

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel