Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Discuss

Presentation on e-mail sender authentication

 

 

SPF discuss RSS feed   Index | Next | Previous | View Threaded


julian at mehnle

May 10, 2007, 4:19 PM

Post #1 of 3 (1236 views)
Permalink
Presentation on e-mail sender authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

on Wednesday I gave a presentation at the Technical University of Munich
(TUM) on the general concept of e-mail sender authentication and the
specifics of a few authentication methods.

These are the slides:

http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.pdf (0.7MB)
http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.odp (1.9MB)
http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.ppt (2.7MB)

Feel free to use them as a basis for new presentations (license: CC BY-SA 3.0[1]).

References:
1. http://creativecommons.org/licenses/by-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGQ6h0wL7PKlBZWjsRAg8yAJ9yOy4eGteheDZwjcW0KV69iZXMRwCg0AgH
RmUsyKcwfgYtGrRBmgGmkCo=
=Y5u0
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com


william at elan

May 10, 2007, 5:42 PM

Post #2 of 3 (1170 views)
Permalink
Re: Presentation on e-mail sender authentication [In reply to]

Small error - DK and DKIM will not protect Sender header field, at most
they may provide some protection for From but even that is debatable
considering most want as weak SSP as possible.

Also PGP and S/MIME are probably not well explained, and some small
issues there, i.e. public key exchanges are all stardardized, its
just completely different way of exchanges, i.e. signed certificate
from trusted root for S/MIME and verification of chain of trust for PGP.
Not widely deployed is also wrong (they are both quite widely deployed
and over 95% of currently used MUA support one or another), but not
widely used due to perceived complexity would be entirely correct.

Could also have been good to mention at the end to EU audience that
strong privacy laws spammers and should be done only with strong laws
regarding abuse of domains including action by domain registrars
(which is currently not the case).

Otherwise quite good general email authentication presentation.

On Thu, 10 May 2007, Julian Mehnle wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> on Wednesday I gave a presentation at the Technical University of Munich
> (TUM) on the general concept of e-mail sender authentication and the
> specifics of a few authentication methods.
>
> These are the slides:
>
> http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.pdf (0.7MB)
> http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.odp (1.9MB)
> http://www.mehnle.net/papers/e-mail-sender-authentication-slides.en.ppt (2.7MB)
>
> Feel free to use them as a basis for new presentations (license: CC BY-SA 3.0[1]).
>
> References:
> 1. http://creativecommons.org/licenses/by-sa/3.0/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGQ6h0wL7PKlBZWjsRAg8yAJ9yOy4eGteheDZwjcW0KV69iZXMRwCg0AgH
> RmUsyKcwfgYtGrRBmgGmkCo=
> =Y5u0
> -----END PGP SIGNATURE-----
>
> -------------------------------------------
> -----------------------------------------------------------------------
> Sender Policy Framework: http://www.openspf.org/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?list_id=735
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com


julian at mehnle

May 14, 2007, 3:23 AM

Post #3 of 3 (1153 views)
Permalink
Re: Presentation on e-mail sender authentication [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William Leibzon wrote:
> Small error - DK and DKIM will not protect Sender header field, at most
> they may provide some protection for From but even that is debatable
> considering most want as weak SSP as possible.

Thanks for the heads-up.

> Also PGP and S/MIME are probably not well explained,

Yes, I assumed that my audience was already aware of the general functiona-
lity of PGP and S/MIME so I chose not to go into any details there.

> and some small issues there, i.e. public key exchanges are all
> stardardized, its just completely different way of exchanges, i.e. signed
> certificate from trusted root for S/MIME and verification of chain of
> trust for PGP.

At least for PGP there's no standardized way of distributing PKs (I don't
consider key servers as such since by far not everyone uploads their keys
to a key server, and this is not due to user ignorance or inertia).

> Not widely deployed is also wrong (they are both quite widely deployed
> and over 95% of currently used MUA support one or another), but not
> widely used due to perceived complexity would be entirely correct.

Well, OK, S/MIME is sort of widely supported in software (mainly due to
Microsoft products), but it doesn't get used a lot. I consider "being in
use" one of two major parts of "deployment" ("being supported" being the
other).

In any case, PGP is NOT widely supported (let alone widely in use).

> Could also have been good to mention at the end to EU audience that
> strong privacy laws spammers and should be done only with strong laws
> regarding abuse of domains including action by domain registrars
> (which is currently not the case).

True, however the focus of the presentation was a technical one.

> Otherwise quite good general email authentication presentation.

Thanks for your feedback, William!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGSDi8wL7PKlBZWjsRAo0kAKCdY+avsH9FE+S+CgDMsLN9ii++sACgjnIh
v3O6Dji2tldK2gC1wWxmdso=
=RNjl
-----END PGP SIGNATURE-----

-------------------------------------------
-----------------------------------------------------------------------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
Powered by Listbox: http://www.listbox.com

SPF discuss RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.