spf-discuss
[Top] [All Lists]

Re: Status of Email Authentication

2005-03-02 05:32:08

----- Original Message ----- From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, March 01, 2005 11:58 AM
Subject: RE: [spf-discuss] Status of Email Authentication

SPF can also get hornswoggled, since the DNS TXT lookup can get
mis-routed to a fake DNS server, but people have tended to notice that
sort of thing fairly quickly.

The same DNS insecurities that apply to SPF apply to DNS-crypto-based
authentication technologies as well.  I can just misroute DNS lookups to
my DNS server which responds with my very own faked domain public key.

Oh, I agree. There are various end-to-end encryption techniques that involve pre-registering keys, but those tend to be very burdensome to implement and don't work for unpredictable traffic like standard email.

An end-to-end system that includes both keys and IP addresses would at least report the change in the key usage vs. the IP address, but most folks would click on it and accept it anyway (as happens now with SSL keys).