spf-discuss
[Top] [All Lists]

Re: let's get rid of SRS

2004-05-19 17:31:21
Roger Moser (Roger(_dot_)Moser(_at_)pamho(_dot_)net) wrote:

The sender signs a hash of the envelope sender (plus time stamp) by using a
private RSA key and in the SPF record publishs the pulic key needed to check
the signature. For example: "v=spf1 a mx ses:...public_key... -all" meaning
"all mail from us has a signed envelope sender and here is the method to
check it".

In addition to the legal issue raised by a previous reply, there is a
time synchronization issue when it comes to the timestamps.  How much
drift do you propose to allow between the client and the server before
the signature check fails due to clock skew?

Apart from those objections, it seems promising.

-- 
Greg Wooledge                  |   "Truth belongs to everybody."
greg(_at_)wooledge(_dot_)org              |    - The Red Hot Chili Peppers
http://wooledge.org/~greg/     |

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-200405.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>