On Fri, 24 Jul 2015, Aaron Zauner wrote:
Just wanted to point out that UTA has recieved a draft that's very
interesting (and IMHO more valuable than anything that relies on DNSSEC)
- it defines an extension to SMTP and SUBMISSION for querying e-mail
address related information (e.g. PGP keys), and may be used to
authenticate afterwards:
https://tools.ietf.org/html/draft-moore-email-addrquery-01
This has come up on the dane list too and was discussed at IETF 92 in
Dallas. As the introduction to this draft stateS:
This document defines several mechanisms which can be used by a
client such as a Mail User Agent or Mail Submission Agent, to query
an SMTP server which is configured to accept incoming mail for a mail
domain, to
The problem is that anti-spam policies generally block SMTP ports so an
enduser often has no way of reaching a target user's SMTP server for
querying the target user data/key.
The draft does allow using one's SMTP server's submission port, so if
I'm on coffeeshop wifi, presumbly this could still work, but it requires
the sender to be an actual user with verifiable credentials.
It also allows the ISP to lie about these extensions and to (be forced)
to disable these and causing unencrypted emails. Think of the lavabit
issue.
Paul
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp