-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aredridel wrote:
example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 ip6:[2001:db8::/32] -all"
More often ip6:[2001:db8::]/32 -- mask outside. Not always uniform
everywhere, though.
I've never seen the mask at that place also it would parse
very ugly and isn't really readible imho either.
Anyhow, what is the standard for the ip6 mechanism, as currently
it is not defined in the docs and if SPF is serious it requires
to have it properly documented... ;)
On Wed, 2004-03-03 at 01:52 +0100, Jeroen Massar wrote:
On another note, to extend SPF wouldn't it be
a good feature to add something like:
example.com IN TXT "v=spf1 sig:sigserver.example.net"
The 'sigserver.example.net' box could then run
a whois like directory which contains PGP (or other)
signature methods just like the current pgp keyservers.
Lars Dybdahl wrote:
SPF was not designed to be used on the e-mail after receiving
the e-mail body - but the idea of letting the DNS system point
at a PGP keyserver is very good.
<SNIP>
Maybe another kind of TXT record would be the right way to do it?
Fine with me ;) I would really like to see a standard way of verifying
a message based on PGP though, this would imply that people start
signing every single piece of email but there is nothing wrong with
that I guess as that is exactly what we want. The point is, we simply
need a PKI. And the above would be a nice way to do it. Having a:
example.com IN TXT "v=pgp1 server:pgp.example.net"
would do the same trick too, it could allow other things too such
a server. Eg registering a combo of hash/message-id's that get sent
out and allowing receivers to verify that the message-id was really
sent out by the sending user.
I even think that things like MS's Passport or even orkut are a
good thing here as they have a high userbase and the email address
is verified. Orkut even has some kind of trust metric in place already.
David Woodhouse wrote:
What's wrong with just putting the key into the SPF record too?
Because keyservers, especially for PGP are a common thing,
adding it in the above, makes sure that the person who wants
to verify the key that that person knows the correct keyserver
where the key is available. Then again we could also simply
say 'always verify from pgp.surfnet.nl' or a similary known
host, but I guess that won't scale very well. The above also
directly makes a nice distributed PKI ;)
In general don't want to use GPG because it involves MIME (or other
noise) and won't always survive mailing lists, and because to many
people a GPG signature implies a level of trust far above what's
appropriate with SMTP AUTH.
Cleartext signing can be done too and is usually used.
In case of a mailinglist, it could verify the signature
and if it is correct it could resent the message signing
it with the mailinglists key.
Greets,
Jeroen
-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iQBGBAERAgAQCRApqihSMz58IwUCQEvEVAAApu4An1xp+7wvQL+nmw19REI631th
dLpvAKCSWiKSctH3ZeAt1JkihRMZxJS8Jg==
=Lxco
-----END PGP SIGNATURE-----