On Sunday 01 February 2004 9:41 pm, Hallam-Baker, Phillip wrote:
OK, lets take this back to basics, I think there is a salvagable idea here,
but simply transposing PGP onto DNS is not the answer. The Web of trust idea
is made to work in practice by the key servers, these have been left out of
your model.
I don't see the relevance of PGP, there is no PKI aspect to MRN, although it
could be handled as an extension.
Lets push the sponsorship scheme out into the HTTP/HTML world. To sponsor a
domain, add them to a page on your web site. Another page notes the
sponsorships you claim to hold. The point is that these resources are much
simpler to modify for most users than DNS, they could be some other
protocol.
The MRN site now provides both DNS hosting and a fallback domain with
web-based administration to make it easier for adopters. See the quickstart
wizard at:
http://www.polityresearch.com/mrn/quickstart.php
MRN supports XML over HTTP as an extension mechanism. Basically onyl the
_existence_ of a relation between two entities is encoded into the DNS so
that it is a quick 'lightweight' lookup, and some basic information for the
entities involved is also in the DNS for the same reason.
Aribitratry additional data for each entity can be encoded into XML and
referenced via the profile=<url> attribute. Also arbitratily complex relation
typing is supported via a similar URL scheme for the arcs.
For example, a sponsorship relation can reference an XML document containing
various datapoints describing an accreditation scheme.
Then have various groups independently scan the accreditation sponsorship
web and publish the results through the DNS based accreditation mechanism I
proposed.
That is the idea - MRN simply provides an extensible global database for
policy engines to scan.
The interface between the MTA and the policy engine can be very simple - it
just needs to know the (already SPF-verified) sending mailbox and the
receiving mailbox.
I am writing a base implementation of such a policy engine at the moment,
which I intend to open-source for others to build on. It will expose the
final authorization results via another DNS whitelist-based query mechanism
with both addresses coded into the query, eg:
checkdnsrr( <mail-from-mbox>._x.<rcpt-to-mbox>.bl.polityresearch.com )
Any help with figuring out how to configure various MTA's to make such DNSBL
callouts after the sender has been verified by SPF would be much appreciated!
- Dan
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡