Yahoo! Develops Anti-Spam Architecture

prostoalex writes "Yahoo!, the owner of one of the largest e-mail systems in the world, is said to be developing a cryptographic product that will be offered freely to mail servers. 'Domain Keys,' according to the Reuters article, would require the message sender to authenticate in order for message to come across a trusted e-mail network. The idea has been around for ages, however, it required someone from the big league like Yahoo! to step in." While Yahoo! isn't the first name that comes to mind when I think of trusted email, it's still a step in the right direction.

Must be missing something

[Space+cowboy]

The text of the article has to be wrong - they say the private key is delivered as a message header! Hmm, not very private...

I'm assuming that what is sent out is an encypted token for which the public key can be used to decrpyt, so:

• Alice wants to send an email to Bob.
  
• Alice encrypts the MD5 checksum of the mail body content (or some other representative text, probably longer than 32 bytes!) using her private key, and embeds the resulting encoded string into a mail header
  
• Bob receives the mail, and looks up Alice's public key to decrypt the token
  
• Bob compares the decrypted token with the same representative text to see if they match.
  
• Match => Read. No match => Put into 'Junk' folder
  

So, the token to be encoded will change from mail to mail, thus making replay techniques pretty much impossible, I think. At least, that's the way I'd do it, and I'm pretty sure I've seen it presented before as well...

On the other hand, I ain't a security expert, so there's probably a gaping hole in the above :-)

Simon

You just can't win with the /. crowd

If someone announced a cure for all cancers, this crowd would immediately dismiss it because it could possible be bought by Microsoft. You pimply-faced pessimists remind my of Eor from Winnie the Pooh.