spf-discuss
[Top] [All Lists]

Re: making the policy decision: leveraging HTTPS

2004-06-21 02:37:44

Proposing that a mail sender must ALSO setup and run a Web-server is
rediculous!
I have many domains that send and receive mail but do not have, are not
intended to have and will not have HTTP based services.



I'm not sure that making a https round-trip for each incoming message is
something I'd want to be doing.

That said, proposing that a mail *sender* do _some_ additional work to
claim the right to send mail isn't as crazy as all that. Neither is it
entirely ridiculous to expect that a domain interested in protecting the
use of their name (a *publisher* ?) should expend some CPU on the process.

Of course, such proposals make a significant change in the burden of
processing in LMAP schemes, and might be expected to effect the adoption
dynamic somewhat.

There's absolutely no reason why a reputation / accreditation service
couldn't require https://whatever.${MAIL_DOMAIN}/ for a good rating to be
issued (like Matthew Elvey suggested). What you get for your certificate is
an assurance that *someone* has taken *some* steps to verify *something*
about the entity the certificate applies to. So now the reputation service
doesn't need the overhead to do this. It's quite a neat business idea.

Of course, precisely what is verified in the certification process depends
on the authority (and on cost of certificate - you can get a cheapo chained
certificate where not much more than your phone number is verified, and
short-life 'trial' certificates are available for free).