Alan DeKok wrote:
What about putting the MARID data in-line in SMTP via an extension?
It can be signed, and the keys can go into DNS ala DK, which should
validate it.
Actually not a bad idea, but two counter arguments:
- This is based on cryptography. This means it has to cope with
secret keys. We do not have the hardware to keep secret
keys secret. Remember that there are spam armys built from
hundres of thousands of machines infected with mailicous
code. This code is already collected license keys and such stuff.
The same people who wrote this software would immediately
start to write routines to collect the keys to generate
false records. Today you can buy collections of e-mail address
lists. Tomorrow they will come with stolen keys.
You would need to have a highly protected issuer of such
records. Do you thing thats practical and feasible?
- If you, on the other hand, give every sender or domain owner
a key to generate the record himself, why to bother with this
at all? Why not simply signing the message itself?
regards
Hadmut