spf-discuss
[Top] [All Lists]

Re: Why not just use S/MIME or GPG signatures?

2003-10-07 00:47:50
On Tue, Oct 07, 2003 at 12:10:30AM -0700, Phil Karn wrote:
This proposal seems to entail a lot of complexity and work for a result 
that is admittedly not 100% effective and will also inconvenience many 
end users.

There's a much simpler way to verify senders: S/MIME or GPG
signatures. Either or both schemes are already implemented on many
mailers, though they aren't used much. Why not just put your
collective weight behind getting them used?

        GPG does not prevent forged From: addresses, as far as I know.
Spammers could easily roll their own GPG private keys, so the gain of
GPG would be minimal, unless you just used it as a cryptographically
strong whitelist.  (Check out http://tmda.net for another take on
automatic "cryptographic" whitelisting.)

        S/MIME continually costs money for "professionally" signed
certs.  Spammers will gladly pay to get their certs signed so they can
send spam.  If you use self signed certificates, spammers can once
again roll their own certs.

And I can continue to send my email direct to its recipients from
any IP address I happen to be visiting.

        I agree that this is a real cost, but it is a one time cost, I
whole heartedly think it is worth paying.  Moreover, I have heard
several domain owners claim that they hate that people can forge mail
from their domains, because then they have to deal with the complaints
and the bounces.


        BTW, I too, am new to SPF and this list.  I'm really glad
someone is moving forward to actually implement this idea.

        The website talks about three different RFCs, which are being
merged.  Have they been merged already?  Are they still in the process
of being merged?  Some people are saying they've already enter SPF DNS
records, which sort of implies that the three RFC either have finished
merging or have stopped merging.  If there is now one combined RFC,
I'd like to read it.  Reading 3 similar RFCs is a little more work
than I want to do.

        -Matthew.
______________________________________________________________________
                                                      
matthew(_at_)syrah(_dot_)us

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡