It is message level.
Transport level security is ok but less flexible.
My preferred system would use spf for a master record, encode the domain
public key in the dns and include links to certifiates for policy
correspondence.
The cost of a ca issued cert is policy enforcement.
-----Original Message-----
From: Philipp Morger
Sent: Mon Dec 08 00:18:48 2003
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] [registrars] yahoo announces new anti-spam
measure (fwd)
On Sun, Dec 07, 2003 at 14:08:44 -0500, Mark Jeftovic wrote:
http://www.washingtonpost.com/wp-dyn/articles/A39549-2003Dec5.html
"domainKeys"
Well, it's not so much a difference from TLS authenticated peers, is it?
except that you search the keys in the DNS instead of you local list of
trusted certs.
A TLS based scheme is IMHO quite easy implemented, most of the code
exists.
- If a client connects, get the name of the CA, lookup for a special Key
in the DNS who tell's you whom to ask for the valid fingerprint.
- Ask the DNS-Server retrieved from the first step if the Fingerprint is
valid (RBL Style)
Example:
Host foo.example.com connects with cert signed by ca.example.com and
fingerprint 1:2:3:4
the DNSCA record of ca.example.com points to askme.example.com
an RBL style lookup is done upon the fingerprint on askme.example.com -
if it is listed, then it's ok - you may also tell the requestor if this
cert has been revoked or simple does not exist.
Regards
Philipp
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡