Hello, I was going to wait a while longer before introducing myself
onto this list; but I can't contain myself...
I do not think we want PKI anywhere near a spam solution. Several
reasons:
* More than 224,000 open relays (ordb.org) I assume some if not most
are due to careless administrators, and these same careless
administrators are going to correctly use certificates?
* There is very little incentive to steal keys right now. Client
certificates are generally useless, server certificates are only good
if you can control the domain name as well. Correct me if I'm wrong,
but even if I have www.vendor.com's private key, I still can't snoop in
on SSL conversations, and I can't hijack the site unless I hijack the
DNS entry as well. Look at the tremendous lengths spammers have gone
through to make e-mail unusable: deter spam using PKI and I suspect
we'll see a healthy black market of sender certificates.
The basic point is, trust DNS. If the key fingerprints are to be put
into DNS, then we trust DNS anyway, and we can eschew the PKI.
Thanks!
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡