• United States

A solution to the e-mail authentication issue

Mar 10, 20043 mins
Access ControlEnterprise ApplicationsMalware

* SMBmeta could be a basis for identifying users and their mail servers

In his keynote address to the RSA Security Conference a couple of weeks ago, Microsoft Chief Mouthpiece, Bill Gates, twittered on about something he called “Caller ID for E-mail” as a way of staunching the flow of spam into our inboxes. Boiled down to its essence, the plan relies on authenticating e-mail senders so as to both block forged addresses as well as track the source of unsolicited messages for body part enhancers, no-questions-asked loans, advanced degrees, “free” phones and other too-good-to-be-true offers.

Authentication is, of course, an identity service so it’s something we need to pay attention to – especially when Microsoft embraces an existing technology. (You’ll remember what Microsoft did with Kerberos. If not, see “Kerberos and Windows 2000,”

There are already a number of competing proposals for sender authentication protocols and standards, including Yahoo’s DomainKeys and two separate tracks within the IETF: Sender Policy Framework (SPF) and Lightweight MTA Authentication Protocol (LMAP). All, in one-way or another, are attempts to authenticate the domain and/or the user that an e-mail message purports to originate from.

The first problem (which I’m sure you’ve already foreseen) is that these protocols, proposals and ideas do not interoperate. And all require changes to either the mail servers, mail clients, or to both.

The second problem is that an awful lot of effort is being expended on competing standards for what is – while an exasperating problem for many of us – a small part of the authentication needs of the worldwide network. That means I can revive my annual call for a universal, self-publishing, loosely-coupled personal directory.

If you’ve just joined the readership in the past year, or weren’t paying attention last May, you should review the four newsletters pointed to in the links below with the headline “a universal, self-publishing, loosely-coupled personal directory,” which examines a proposal by VisiCalc creator Dan Bricklin for a technology called SMBmeta. This was initially designed as an easy to use way for small to midsized companies to provide directory (i.e., yellow pages) information to search engines in an easy to use but dynamic way.

My idea was to expand the use of SMBmeta so that individuals could provide dynamic directory (i.e., LDAP stuff) information to anyone who was searching for it and which can be amalgamated by identity-engines on directory portals throughout the Internet.

Build some security onto this structure and it becomes an ideal way to authenticate users as well as to identify the mail servers they use. While it’s true that someone traveling might use a different server to send mail from time to time (mostly because they’re too lazy to reconfigure their mail client), generally people use the same mail servers 99% of the time making it really easy to authenticate both the user and the server.

It seems like a simple, elegant solution. Probably too simple and elegant to ever be considered. But at least we can think about it.