Yes, there is too

By Larry Seltzer  |  Posted 2004-09-23 Print this article Print

a crypto-based solution"> On the cryptography-based front, a proposal has been in place for a long time, Yahoo!s DomainKeys. At the same time, there is another IETF group looking into a standard for signing e-mail for such purposes. DomainKeys has been around for a long time, as these things go. Sendmails filter for it is already in its second version and Yahoo! is working on a qmail implementation.

(Incidentally, a quick read of the DomainKeys site shows that another company claims that trademark. Well see how that little battle plays out.)

Still, there is one theoretical advantage to IP-based systems. One criticism of authentication systems is that they cant stop spammers from simply creating valid DNS records that can then authorize zombied consumer PCs to send e-mail. The use of a reputation system could proactively scan the DNS for domains (especially on networks known to tolerate spammers) for authorized addresses in IP space where it shouldnt belong, such as those belonging to consumer broadband ISPs. This should raise a big red flag and could establish reputation before a single message was sent out. By comparison, the proactive scan of crypto-based records would not show anything useful.

Overall, cryptography solves problems evident in the IP-based systems. So if crypto is already better and available, why do the experts view it as the next-generation? Why not do it now? The assumption was that a cryptography-based standard will take longer to get ready. Meanwhile, the IP-based standard seems to be taking a lot longer than anyone thought it would. Now were supposed to have a period of experimentation before we get back to the standards drawing board. Can anyone call this process expedient?

What if the MailSIG group decides in short order to endorse DomainKeys? (For this hypothetical question, Im ignoring the few other proposals now under consideration by the working group because Yahoo! tells me that by the end of the year they will be signing all outbound Yahoo! Mail with DomainKeys and verifying it inbound. It sounds as if DomainKeys is closer to being a practical solution than we thought.)

From current signs, unlike some other large companies in the software business, Yahoo! will not be jerks about the license. Yes, they do have patent claims for the technology in DomainKeys but representatives tell me that they will not require implementers to sign a license and they will allow sublicensing. The license will be royalty-free, worldwide and perpetual with one exception: if you sue Yahoo! or another licensee over it. While I havent seen the license itself, it sounds as if Yahoo! Doesnt want to repeat Microsofts mistakes.

In addition, there may be an interim solution that allows the IP-based proposals and DomainKeys to experiment simultaneously in a single framework. The Unified SPF (Sender Policy Framework) by Meng Weng Wong, author of the SPF standard and co-author of the Sender ID specification, can support one or more authentication methods specified by the system administrator. DomainKeys could be one of them. No doubt, some syntax work would need to be done, but that seems like a relatively small matter.

Now, I always assumed that the performance burden of a crypto approach would be large; Yahoo! says this is not the case. Mail servers typically are not CPU-bound and have capacity to spare, although some companies will have to upgrade their servers before all this authentication business is done with.

But the sooner this is done the better. Moving forward with an IP-based solution only means that everyone will have to upgrade to a future crypto solution. Why burden our industry with two steps when one will do better?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel