The sender domain's public key can be found by including the key ID in
the SPF record (e.g. "pgp=cc983928"), and this can then be retrieved from
e.g. pgp.mit.edu. and then cached. Key IDs are supposed to be unique and
...
Keyid's are 4 bytes long, thus there are 4294967295 combinations.
(Same number of potential IP addresses out there, were each IP
addr allowed, no multicast, etc.)
I don't know if a collision has occured yet or not, I'm very
curious. When verifying a key, you should use both the
keyid, bits, type (DSA/RSA), and fingerprint (fingerprint is
20 bytes long) -- you can eventually forge a specific key id
if you can twiddle the rest. All together, the work to create
a meaningful key that matches all these characteristics is
either computationally infeasable or impossible, I forget
which...
I wonder how many domains are out there currently - if each
had a key, I'd find it amazing if we didn't have a collision
via the birthday paradox. 1.2*sqrt(4294967295) == 78643 keys,
roughly.
Hmmn - with numbers like that, I'd think we'd already have a collision.
I should go investigate.
(FYI: DSA keyids are simply the last 4 bytes of the fingerprint.)
--
Brian Hatch "Was that a compliment?"
Systems and "After a fashion."
Security Engineer "Then you trust me?"
http://www.ifokr.org/bri/ "After a fashion."
Every message PGP signed
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
signature.asc
Description: Digital signature