On Sun, Dec 07, 2003 at 14:08:44 -0500, Mark Jeftovic wrote:
http://www.washingtonpost.com/wp-dyn/articles/A39549-2003Dec5.html
"domainKeys"
Well, it's not so much a difference from TLS authenticated peers, is it?
except that you search the keys in the DNS instead of you local list of
trusted certs.
A TLS based scheme is IMHO quite easy implemented, most of the code
exists.
- If a client connects, get the name of the CA, lookup for a special Key
in the DNS who tell's you whom to ask for the valid fingerprint.
- Ask the DNS-Server retrieved from the first step if the Fingerprint is
valid (RBL Style)
Example:
Host foo.example.com connects with cert signed by ca.example.com and
fingerprint 1:2:3:4
the DNSCA record of ca.example.com points to askme.example.com
an RBL style lookup is done upon the fingerprint on askme.example.com -
if it is listed, then it's ok - you may also tell the requestor if this
cert has been revoked or simple does not exist.
Regards
Philipp
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡