spf-discuss
[Top] [All Lists]

Re: verifying the message instead of just it's path

2004-01-20 22:19:25
On Tue, 20 Jan 2004, Meng Weng Wong wrote:
On Tue, Jan 20, 2004 at 10:03:11PM -0600, Thor Kooda wrote:
| Wouldn't a system that just used public key crypto to verify messages 
| avoid any issues with the smtp envelope sender and forwarding?
| 
| I understand that SPF (and friends) are more geared towards authorizing 
| the path of a message, and not the message itself, but I think there is
| some merit in combining the two..

You are drawing a distinction between sender and author.

what if the system I was describing used the domain from the "From:"
header, and ignored the envelope sender for verification?

a legitimate company could still outsource its sending to a 3rd party,
and the domain from the "From:" could still authorize/verify the
message.

the hash+crypto is just the method of identifying a particular message,
and the dns export of the key allows me to verify that the domain that
the message appears to come from (read: "From:") really did send
(read: author) it.


| A simple, un-intrusive hash+pubkey system could be used to verify that 
| messages really did come from where they appear to have come from.

This is more or less domainkeys.  Yahoo needs to publish a spec for it.

except that this method allows anyone to use the existing dns hierarchy
to distribute (and revoke) keys, as well as rotate them as often as they
like, so that faster (less secure) keys with a shorter key length may be
used.  -and with no CA, it's PKI is free.

-- 
Thor Kooda

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡