On 03/07/2006 18:30, Julian Mehnle wrote:
Daniel Taylor wrote:
I'm still waiting for someone, anyone, to come up with an e-mail
source forgery prevention mechanism superior to SPF. I would say PGP/GPG
is the perfect solution, but look at your inbox and mail client and tell
me it is more widespread than SPF despite having been available for
over 10 years now and solving more problems than SPF attempts to.
...
Anyway, there are far fewer domain owners than end-users, so that should
explain SPF's structural advantage over PGP. But I agree that PGP is the
definite solution to the forgery problem. Banks, eBay, etc. should really
form a cooperative initiative and start propagating PGP to their users
instead of inventing silly workarounds like "never click links in e-mails
claiming to come from us".
Now since I get a lot of mail from you (via mailing lists), if I got mail
"from" you that didn't have a PGP signature, I'd be suspicious. In a broader
sense though, how would a receiver know to expect a PGP signature from you?
SPF OPtions modifier seems to be a possible solution...
op=pgp[then we need syntax to find the key] from that an automated solution
can be built to reject unsigned messages...
It's been a while since I've done much with PGP (I have to use S/MIME
professionally and so I've gotten away from PGP), do you have any suggestions
on how we might point to the key or provide perhaps a key fingerprint in the
record?
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com