spf-discuss
[Top] [All Lists]

Re: Why not just use S/MIME or GPG signatures?

2003-10-07 13:14:47
On Tue, Oct 07, 2003 at 12:10:30AM -0700, Phil Karn wrote:

There's a much simpler way to verify senders: S/MIME or GPG 
signatures. Either or both schemes are already implemented on many 
mailers, though they aren't used much. Why not just put your collective 
weight behind getting them used?

With message signatures, no kludgey changes to the DNS or to mail 
servers are required. All the work can be done at the end points, and 
the choice whether to accept or ignore a certain message is under 
recipient control where it belongs. And I can continue to send my email 
direct to its recipients from any IP address I happen to be visiting.

        In a previous message I discounted Phil's suggestion of using
S/MIME or GPG as ineffective, as it would be to easy of spammers to
create or acquire valid certs/private keys.

        However, I have realized there might be a way to use a GPG or
S/MIME like system, either in conjunction or independantly of SPF.
What I envision is not exactly what Phil described.  And I prefer to
avoid using GPG or S/MIME directly, becasue AFAIK both of those
technologies directly effect or change the message body.

        But what if:

        1) domain.com uses a self generated private key to sign each
message that originates at one of its MTA.  The signature might
include include: the from address, the to address, the subject of the
message, a hash of the message body (and more?).  The signature would
be added to the message as a header.

        2) domain.com uses DNS TXT records to publish the URL from
which its public key(s) can be downloaded.

        Such a system, which operates only at the endpoints, allows
the receiving MTA to verify that signed messages are valid, no matter
how many times they have been forwarded.  This prevents forged frome
headers and allows whitelist and blacklisting at the domain level.

        Such a system is a complement or extension of SPF, not a
replacement.

        Comments appreciated.

        -Matthew.
______________________________________________________________________
                                                      
matthew(_at_)syrah(_dot_)us

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡