On Wed, Jan 14, 2004 at 01:01:41AM +1100, Chris Drake wrote:
|
| As a PKI-aware person, do you know if anyone is doing any anti-spam
| PKI work, like any paid-for "I am not a spammer"
certificate system or
| other PKI-based anti-spam solutions? I think this would be an ideal
| alternative to SPF, since it gives SENDERS a way to ensure their
| emails reach their recipients - and the rights of senders
are getting
| totally lost in todays anti-spam frenzy.
I can't tell you what product plans might exist. However principal
scientists of companies of VeriSign tend to only get involved in a project
if they can see a potential market.
SPF is an authentication mechanism, Public Keyu cryptography provides an
authentication mechanism.
A PKI combines an authentication mechanism with an accreditation system.
The value of PKI lies in the accreditation system, not the authentication
part. Sure you can provide extra assurance by actually signing messages,
like you can forward. But that is not where the majro part of the value
lies.
You can always do
"v=spf1 smime -all"
Not very practical. I can do something about tracking the reputation of a
million ISPs or so. But I have no idea how to manage a billion end users. We
have to have accountability in a way that matches the current accountability
infrastructures of email sending. That means holding ISPs accountable for
the mail they send and through them the end users.
I've seen a few .sigs that read like "All mail signed by S/MIME".
The above SPF record is merely a formalized way of making the
assertion.
It is certainly a very important and useful statement - it prevents a
downgrade attack. That is why I would like to be able to formalize the spf
approach a bit further and make the scheme capable of much more generality
than is possible at present.
When, one day, crypto is built into all mail clients, then
the original
dream of PGP will be realized, and we don't need the
centralized servers
anymore, and instead of "v=spf1 mx" we can declare "v=spf1 pgp". But
this relies on a technological shift which hasn't happened yet.
Less than 5% of Internet users are using a mail client that is NOT capable
of sending encrypted and signed email.
The problem is the complexity of the user interfaces. That should be solved
very soon.
Phill
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡