-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeroen Massar wrote:
[GnuPG 1.4.3 / Public Key Association (PKA) / CERT in DNS / RFC 4398]
Can we start doing automatic key verification for mail !?
It would be really good if there would now come a draft which will
propose the standard order of getting a key, when one doesn't have it or
wants to get it again. This release of GnuPG allows one to already
specify it. It would be really good if this was standardized and also
implemented. Especially in combination with a domain policy (which could
be incorporated in say SPF).
Indeed the SPF project has plans to introduce another revision of the SPF
protocol, now that SPFv1 (v=spf1) will be out as an IETF RFC within the
next few weeks. While v=spf1 only supports IP-address-based authenti-
cation of the envelope sender, the idea has long been for SPF to be much
more than that, i.e. to be a "Sender Policy Framework" allowing domain
owners to specify a wide range of policies, covering non-envelope (RFC
2822) identities and authentication methods like DKIM, PGP, and S/MIME.
The rough timeline could be for that revision to be released sometime in
Q3/2006 to Q1/2007, depending on the feature set chosen (which is still
open to debate).
Thus, eg I mail from jeroen(_at_)unfix(_dot_)org, one can lookup
_policy.unfix.org,
which will say "mail:PGP:required" or something similar. SMTP
clients/servers receiving mail signed by me, can then use one, or more,
of the key retrieval techniques to fetch the key. PKA + Cert become very
good for this and thus allow automatic verification. When the mail is
not signed or falsely signed, one can discard the message based on the
policy.
[...]
This all though leads to a concern on the placing of the CERTS. Having a
large user base would mean that one has say 600k records or more in the
main zone for a domain, which gets reloaded every now and then when one
needs to update it. It would IMHO be better to be able to off load those
records to say _cert.example.org. [...]
While for v=spf1 mostly TXT RRs are used in practice, SPF has been assigned
a dedicated "SPF" RR type (code 99), which is already being used (queried)
by a few implementations. Also, SPF's macro feature would be useful for
specifying custom DNS zone layouts for where to search for key records.
(Are there ones besides CERT/RFC2538/RFC4398?)
What do folks -- especially the gnupg-devel ones -- think about using SPF
for that purpose? Are there any non-obvious fundamental issues that need
to be taken into account?
Julian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEMnagwL7PKlBZWjsRAqKmAKDbwBS6mMeL5iTJXs6hruyVg7wHqACeMyVg
nP5IOM8KGtZE8+v9P9Jdj+s=
=IowF
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com