ietf-asrg
[Top] [All Lists]

Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys"

2003-12-09 13:14:19
Yakov,

At 11:46 AM 12/9/2003, Yakov Shafranovich wrote:
Markus Stumpf wrote:
On Mon, Dec 08, 2003 at 03:35:28PM -0500, Yakov Shafranovich wrote:

The signature attests to the fact that the domain name or server from which the message originated, is not forged.

*lol*
I don't see any more security here as with a "paranoid" dns lookup.
If I do a reverse DNS lookup and get a name and do a lookup of the name
and get the IP I can assume#1 that it is correct.
   #1 with drawbacks as to DNS spoofing and DNS security.
Now, if the sending MTA has a signature on the message and I use DNS
to get the public key to verify the signature #1 from above still
applies. So the win for using PKI and not paranoid DNS lookups is zero.
[..]

Would there be a difference if the message is forwarded through a list, or is transfered via multiple MTAs?

Is it fair to say that there may be many MTAs at the sender's domain, many at the receiver's domain, but there should at most be one MTA(i) in the forwarding path? From the standpoint of mail signing, might the multiple MTAs at the sender be considered as a single MTA and similarly for the receiver?

Mark


Yakov

-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Be liberal in what you accept, and conservative in what you send" (Jon Postel)
-------


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>