----- Original Message -----
From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, March 01, 2005 11:58 AM
Subject: RE: [spf-discuss] Status of Email Authentication
SPF can also get hornswoggled, since the DNS TXT lookup can get
mis-routed to a fake DNS server, but people have tended to notice that
sort of thing fairly quickly.
The same DNS insecurities that apply to SPF apply to DNS-crypto-based
authentication technologies as well. I can just misroute DNS lookups to
my DNS server which responds with my very own faked domain public key.
Oh, I agree. There are various end-to-end encryption techniques that involve
pre-registering keys, but those tend to be very burdensome to implement and
don't work for unpredictable traffic like standard email.
An end-to-end system that includes both keys and IP addresses would at least
report the change in the key usage vs. the IP address, but most folks would
click on it and accept it anyway (as happens now with SSL keys).