Hi Olaf,
For most non-spam emails, you've got 2 MTAs connected to each other,
so why not let the DNS simply specify *where* to get the public key
from (instead of the key itself) and strongly recommend that the
"where" that the public key is made available from should be the MTA,
so they can then use the existing connection to exchange the key ?
Or in other words, replace your steps 3 and 4:-
Old:-
3. MX host ("foo.bar.org") sees SMTP connection (sender address is
j(_dot_)doe(_at_)fortytwo(_dot_)eu(_dot_)org) and says "450 back in 5 minutes"
New:-
3. MX host ("foo.bar.org") sees SMTP connection (sender address is
j(_dot_)doe(_at_)fortytwo(_dot_)eu(_dot_)org) and says "450 here is my key:
WQERfweRgWWEr..."
Old:-
4. sender ("foo.bar.org") gets fortytwo.eu.org's TXT record, thus the key
New:-
4. sender ("foo.bar.org") gets fortytwo.eu.org's TXT record, which
verifies that the key provided in step 3 is acceptable.
Kind Regards,
Chris Drake
Tuesday, June 22, 2004, 7:47:17 AM, you wrote:
O> Meng Weng Wong wrote:
given DOMAIN, attempt to connect to https://www.DOMAIN/.
If an HTTPS connection succeeds, and the certificate for
DOMAIN is valid, that makes it somewhat more likely that
the sender is a good guy.
O> Hmm, I would like the PGP way better:
O> 1. I generate PGP private/public pair for fortytwo.eu.org
O> 2. public key is in DNS, let's say in a TXT RR
O> 3. MX host ("foo.bar.org") sees SMTP connection (sender address is
O> j(_dot_)doe(_at_)fortytwo(_dot_)eu(_dot_)org) and says "450 back in 5
minutes" or - better "650
O> please hold the line" (yes, 6xx codes do not exist - yet?)
O> 4. sender ("foo.bar.org") gets fortytwo.eu.org's TXT record, thus the key
O> 5. sender signs machine generated message to fortytwo.eu.org's MX with
O> lowest number, containing J. Doe's sending IP
O> 6. my MX host replies automatically with "OK", "FAIL" or "DUNNO" and either
O> sends is as is or - if available - encrypts the answer with foo.bar.org's
O> public key. *OR* my MX is under attack and cannot answer.
O> 7. foo.bar.org then decides what to to with the sending host. If it gets no
O> answer from fortytwo.eu.org within 5 minutes, it says 450 to the sender and
O> blocks it for 10 Minutes.
O> 8. foo.bar.org is not allowed to query fortytwo.eu.org's for one hour, it
O> must cache it for this time.
O> Instead of 2. we could look at RFC2782 and define something like
O> _pgp._udp SRV 0 0 24 pgpkeys.fortytwo.eu.org.
O> in DNS. OK, maybe I just reinvented the wheel, these are just my 2 cents.
O> Olaf
O> -------
O> Sender Policy Framework: http://spf.pobox.com/
O> Archives at http://archives.listbox.com/spf-discuss/current/
O> Send us money! http://spf.pobox.com/donations.html
O> To unsubscribe, change your address, or temporarily deactivate your
subscription,
O> please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com