[pycrypto] Quick and Easy Email Authentication

Mads Kiilerich mads at kiilerich.com
Wed Feb 11 15:34:58 CST 2009


David MacQuigg wrote, On 02/11/2009 04:41 PM:
> RSA, maybe some way to do this with hashcodes?  If we can solve this
> problem, it could lead to a robust, no-exceptions policy on
> authentication of SMTP mail sessions.
>   

Such systems already exists, designed and peer reviewed by experts. The 
primarily problem they face is acceptance - and the lack of acceptance 
because of the trade-offs made to make the protocols acceptable. And 
nobody with real-world need for email can rely on such protocols before 
everybody else uses them, and thus there is no need to deploy the 
protocols before everybody else uses them.

> Let me try to state the problem in more fundamental terms.  A stranger
> says HELO this is f33faf76.mailout09.arizona.edu.  The only other
> information you have to verify that claim is a DNS text record at
> mailout09.arizona.edu. That record can hold up to 480 bytes of text.
>   

The DNS system is fundamentally broken and insecure. You shouldn't rely 
on it at all. Secure DNS is really a must but unfortunately not widely 
deployed, so we must rely on DNS for functionality but shouldn't rely on 
it for security.

> criminals.  More secure sites can add additional checks, including a
> digital signature on the entire message.
>   

IMHO the right solution to the problem you are trying to solve lies in 
that direction. Why try to find another and less perfect solution?

But ... this is a (silent) list for python crypto, not for protocol 
design and email systems. Other lists might be more appropriate.

/Mads
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3435 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.dlitz.net/pipermail/pycrypto/attachments/20090211/5f5d77af/attachment.bin 


More information about the pycrypto mailing list