Thank you for an accurate and comprehensive roundup of the issues.
On Tue, Jun 29, 2004 at 10:51:04AM -0700, Jonathan Gardner wrote:
|
| (5) Add additional checks for authenticity in SPF, or leave that as an
| option. This would make it so that an SPF result cannot be obtained in all
| cases before the message is sent. In particular, Domain Keys may require
| the entire message to be sent, and so checking Domain Keys will have to
| cause SPF to return a "NEED MORE INFO" result before the checking can
| resume and be completed. Perhaps PGP or S/MIME could be used for this
| purpose as well.
I should point out that even with PGP the authenticity
problem can arise.
A PGP signature on a message merely means that the signing
identity was once authorized to represent a human author.
If a virus snags the secret key using a keysniffer device,
the virus becomes capable of identity theft, and the
analogous situation obtains.
:)