[pycrypto] Quick and Easy Email Authentication

Mads Kiilerich mads at kiilerich.com
Wed Feb 11 15:34:58 CST 2009

David MacQuigg wrote, On 02/11/2009 04:41 PM:
> RSA, maybe some way to do this with hashcodes?  If we can solve this
> problem, it could lead to a robust, no-exceptions policy on
> authentication of SMTP mail sessions.

Such systems already exists, designed and peer reviewed by experts. The 
primarily problem they face is acceptance - and the lack of acceptance 
because of the trade-offs made to make the protocols acceptable. And 
nobody with real-world need for email can rely on such protocols before 
everybody else uses them, and thus there is no need to deploy the 
protocols before everybody else uses them.

> Let me try to state the problem in more fundamental terms.  A stranger
> says HELO this is f33faf76.mailout09.arizona.edu.  The only other
> information you have to verify that claim is a DNS text record at
> mailout09.arizona.edu. That record can hold up to 480 bytes of text.

The DNS system is fundamentally broken and insecure. You shouldn't rely 
on it at all. Secure DNS is really a must but unfortunately not widely 
deployed, so we must rely on DNS for functionality but shouldn't rely on 
it for security.

> criminals.  More secure sites can add additional checks, including a
> digital signature on the entire message.

IMHO the right solution to the problem you are trying to solve lies in 
that direction. Why try to find another and less perfect solution?

But ... this is a (silent) list for python crypto, not for protocol 
design and email systems. Other lists might be more appropriate.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3435 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.dlitz.net/pipermail/pycrypto/attachments/20090211/5f5d77af/attachment.bin 

More information about the pycrypto mailing list