spf-discuss
[Top] [All Lists]

RE: let's get rid of SRS

2004-05-20 03:29:47
On Wed, 19 May 2004, Seth Goodman wrote:

First, is it feasible to create multiple private keys that can be
validated by the same public key with reasonably strong security?

I believe not.

If so, would it be possible when decrypting a signature to tell which
private key it was signed with?  The motivation for this would be to
gain the ability to do per-user validation without having to publish a
separate public key for every user.  Publishing per-user public keys
would certainly give a domain that capability, but it means publishing a
list of valid local addresses.  That is something most businesses would
not be happy with.

You can solve the problem by using the SPF macro scheme to state where to
look up public keys in a per-user fashion, or this information could be
implicit in the address signature format. In either case you can avoid
publishing the list of users as a whole by disallowing zone transfers from
your nameservers.

-- 
Tony Finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/


<Prev in Thread] Current Thread [Next in Thread>