Talk:Email authentication: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
imported>David MacQuigg
Line 15: Line 15:


You might want to look at the [[information security]] article and be sure that your bullet definitions in the introduction are consistent and linked. This doesn't mean that you can't edit information security: indeed delay, a subset of inadequate but not nonexistent performance, probably should be there. (D)DoS is a set of attack techniques rather than a type of security threat. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 15:18, 23 October 2009 (UTC)
You might want to look at the [[information security]] article and be sure that your bullet definitions in the introduction are consistent and linked. This doesn't mean that you can't edit information security: indeed delay, a subset of inadequate but not nonexistent performance, probably should be there. (D)DoS is a set of attack techniques rather than a type of security threat. [[User:Howard C. Berkowitz|Howard C. Berkowitz]] 15:18, 23 October 2009 (UTC)
:Good points.  I've changed the wording to emphasize that we really mean security, not malfunction or reliability problems.  In a security context, we always have an opponent.  We look at delays not as a problem with network performance, but rather as a possible way to mislead an opponent, e.g. a delay in news affecting a stock price, while the bad guys place their orders first.
:Seems that every text has a different way to list the requirements for secure communications.  The perfect schema is the one that covers all possible threats with simple, non-overlapping categories.  Such a schema does not exist, because there are always overlaps.  If you have authentication (you know the message came from Alice), then you have to have some degree of verification.  If the message has been altered, what does it mean to say that it came from Alice.
:"Concealment" is the term used in Shannon's schema (1949 paper on secrecy systems).  This does seem to better convey what we really mean on this aspect of security.
:--[[User:David MacQuigg|David MacQuigg]] 07:26, 3 February 2010 (UTC)

Revision as of 01:26, 3 February 2010

This article is a stub and thus not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
To learn how to update the categories for this article, see here. To update categories, edit the metadata template.
 Definition Brief overview of methods used to authenticate the sender of an email. [d] [e]
Checklist and Archives
 Workgroup category Computers [Please add or review categories]
 Talk Archive none  English language variant American English

The challenge in this article is to introduce a subtopic that has a huge amount of detail without overwhelming the non-expert reader. We can do that by keeping the focus narrow, relying on a parent topic to establish a conceptual framework and terminology for the discussion, and subtopics to offload much of the detail. In this article we will include just those details that are needed for a coherent presentation of the topic, or that are interesting enough to outweigh the burden of including them.

There are several authoritative references (RFCs) on authentication methods. There are also Wikipedia articles that may be more readable than the RFCs. In this article, we will try to avoid the "written by committee" style, where every contributor gets to squeeze in a few facts that he considers important. The subtopics on each authentication method will be a better place for more detail.

Terminology is a challenge. Should we use the same terms the experts use (MTA, Reverse Path, etc.) or terms that are more meaningful to non-experts (Mail Relay, Return Address, etc.)? We have chosen the latter, because our articles are intended for non-experts. Experts will have no trouble understanding what we mean, as long as we avoid mis-using any of their special terminology. We will capitalize terms that we intend to have a special meaning (e.g. Relay instead of relay).

Planned Additional Subtopics

  SPF
  SenderID
  DKIM
  CSV

Information security

You might want to look at the information security article and be sure that your bullet definitions in the introduction are consistent and linked. This doesn't mean that you can't edit information security: indeed delay, a subset of inadequate but not nonexistent performance, probably should be there. (D)DoS is a set of attack techniques rather than a type of security threat. Howard C. Berkowitz 15:18, 23 October 2009 (UTC)

Good points. I've changed the wording to emphasize that we really mean security, not malfunction or reliability problems. In a security context, we always have an opponent. We look at delays not as a problem with network performance, but rather as a possible way to mislead an opponent, e.g. a delay in news affecting a stock price, while the bad guys place their orders first.
Seems that every text has a different way to list the requirements for secure communications. The perfect schema is the one that covers all possible threats with simple, non-overlapping categories. Such a schema does not exist, because there are always overlaps. If you have authentication (you know the message came from Alice), then you have to have some degree of verification. If the message has been altered, what does it mean to say that it came from Alice.
"Concealment" is the term used in Shannon's schema (1949 paper on secrecy systems). This does seem to better convey what we really mean on this aspect of security.
--David MacQuigg 07:26, 3 February 2010 (UTC)