No Time Like the Present for Next-Generation Authentication

Opinion: Forget all the clamor for IP-based authentication plans like MARID. It's all a waste of time when the long-term, cryptography-based solution is close at hand.

Now that the Internet Engineering Task Forces MARID (MTA Authorization Records In DNS) standards process has collapsed—without even the hint of a consensus—its time to think about the future. Perhaps the best solution is to abandon the Tower of Babel that surrounds the current IP-based authentication systems and move straight to the next generation: a cryptographic approach.

All of the authentication designs considered by MARID were IP-based, meaning they attempted to determine if the IP address of the sender was an authorized sender for a particular domain. The disagreements were over which address to authenticate, at which stage of the process, and so on.

There are a number of well-known and common problems with IP-based solutions, starting with reliability. Not one of the standards under consideration was clearly more reliable than the others, which is why there was no consensus among the working group. Worse, all of the candidates were unreliable when e-mail comes from more than one hop away. While it turns out that the vast majority of e-mail reaches its destination in a single hop, still, thats a big problem.

Some of the smartest people involved in this process have said all along that for the long term cryptography-based solution will be needed. With this approach, the mail sender signs some specific portion of the message (including headers) with their private key and puts their public key in the DNS for others to find. Recipients retrieve this public key and use it to prove that the mail did indeed come from the domain it purports to come from and that it hasnt been tampered with.

However, just as with IP-based authentication, crypto-authentication only proves where the message came from, not that it is, or is not, spam. It is just as reliant as IP-based solutions on reputation and accreditation systems to create real antispam systems.

Next page: Yes, there is too a cryptography-based solution