Now that the Internet Engineering Task Forces MARID (MTA Authorization Records In DNS) standards process has collapsed—without even the hint of a consensus—its time to think about the future. Perhaps the best solution is to abandon the Tower of Babel that surrounds the current IP-based authentication systems and move straight to the next generation: a cryptographic approach.
All of the authentication designs considered by MARID were IP-based, meaning they attempted to determine if the IP address of the sender was an authorized sender for a particular domain. The disagreements were over which address to authenticate, at which stage of the process, and so on.
There are a number of well-known and common problems with IP-based solutions, starting with reliability. Not one of the standards under consideration was clearly more reliable than the others, which is why there was no consensus among the working group. Worse, all of the candidates were unreliable when e-mail comes from more than one hop away. While it turns out that the vast majority of e-mail reaches its destination in a single hop, still, thats a big problem.
Some of the smartest people involved in this process have said all along that for the long term cryptography-based solution will be needed. With this approach, the mail sender signs some specific portion of the message (including headers) with their private key and puts their public key in the DNS for others to find. Recipients retrieve this public key and use it to prove that the mail did indeed come from the domain it purports to come from and that it hasnt been tampered with.
However, just as with IP-based authentication, crypto-authentication only proves where the message came from, not that it is, or is not, spam. It is just as reliant as IP-based solutions on reputation and accreditation systems to create real antispam systems.
Next page: Yes, there is too a cryptography-based solution
Yes, there is too
a crypto-based solution”>
On the cryptography-based front, a proposal has been in place for a long time, Yahoo!s DomainKeys. At the same time, there is another IETF group looking into a standard for signing e-mail for such purposes.
DomainKeys has been around for a long time, as these things go. Sendmails filter for it is already in its second version and Yahoo! is working on a qmail implementation.
(Incidentally, a quick read of the DomainKeys site shows that another company claims that trademark. Well see how that little battle plays out.)
Still, there is one theoretical advantage to IP-based systems. One criticism of authentication systems is that they cant stop spammers from simply creating valid DNS records that can then authorize zombied consumer PCs to send e-mail.
The use of a reputation system could proactively scan the DNS for domains (especially on networks known to tolerate spammers) for authorized addresses in IP space where it shouldnt belong, such as those belonging to consumer broadband ISPs. This should raise a big red flag and could establish reputation before a single message was sent out. By comparison, the proactive scan of crypto-based records would not show anything useful.
Overall, cryptography solves problems evident in the IP-based systems. So if crypto is already better and available, why do the experts view it as the next-generation? Why not do it now?
The assumption was that a cryptography-based standard will take longer to get ready. Meanwhile, the IP-based standard seems to be taking a lot longer than anyone thought it would. Now were supposed to have a period of experimentation before we get back to the standards drawing board. Can anyone call this process expedient?
What if the MailSIG group decides in short order to endorse DomainKeys? (For this hypothetical question, Im ignoring the few other proposals now under consideration by the working group because Yahoo! tells me that by the end of the year they will be signing all outbound Yahoo! Mail with DomainKeys and verifying it inbound. It sounds as if DomainKeys is closer to being a practical solution than we thought.)
From current signs, unlike some other large companies in the software business, Yahoo! will not be jerks about the license. Yes, they do have patent claims for the technology in DomainKeys but representatives tell me that they will not require implementers to sign a license and they will allow sublicensing. The license will be royalty-free, worldwide and perpetual with one exception: if you sue Yahoo! or another licensee over it. While I havent seen the license itself, it sounds as if Yahoo! Doesnt want to repeat Microsofts mistakes.
In addition, there may be an interim solution that allows the IP-based proposals and DomainKeys to experiment simultaneously in a single framework. The Unified SPF (Sender Policy Framework) by Meng Weng Wong, author of the SPF standard and co-author of the Sender ID specification, can support one or more authentication methods specified by the system administrator. DomainKeys could be one of them. No doubt, some syntax work would need to be done, but that seems like a relatively small matter.
Now, I always assumed that the performance burden of a crypto approach would be large; Yahoo! says this is not the case. Mail servers typically are not CPU-bound and have capacity to spare, although some companies will have to upgrade their servers before all this authentication business is done with.
But the sooner this is done the better. Moving forward with an IP-based solution only means that everyone will have to upgrade to a future crypto solution. Why burden our industry with two steps when one will do better?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer