ietf-mxcomp
[Top] [All Lists]

RE: How would SPF or Sender Id caught this one?

2004-07-30 18:50:46


On Fri, 30 Jul 2004, Larry Seltzer wrote:

If you really want to trust that the contents of a email message was
authored by the person who claims to be the author, you need to use a
digital signature based authentication mechanism (e.g. S/MIME). 
 
S/MIME isn't necessary to address this scenario, which does demonstrate
the basic flaw of any IP-based solution. Domain Keys would have stopped
it though. 

At a cost of loosing legitimate email if you rely on and if intermediate
systems (mailservers, forwarders, etc) do not support DK. On the other 
hand, s/mime is designed to be end-end system that works no matter what 
intermediate system does with email. 

If we're to build mail server signature insertion system (which is not a 
bad idea since neither s/mime nor pgp are used widely by end-users, so
so we must "help" them out by having mail servers sign email instead and 
verify it), then such system should should be similar to real email 
signatures and be end-end capable, meaning you don't have to be the next
hop in email transmission to be able to verify the signature safely.

One such proposal paper is available at
http://www.elan.net/~william/asrg/mta_signatures.htm

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net