On Wed, 5 Apr 2006 20:03:46 -0500, Brad Knowles said:
Keep in mind that relatively few people use any kind of personal
encryption at all, and most that do make use of S/MIME instead of PGP
or GPG, because S/MIME is what is provided by default from Microsoft
The problem with S/MIME is that you can't create a usabable
certificate for yourself. You have to hand over a lot of money to
a more or less trustworthy CA with no real benefit. OpenPGP may be used
much easier in that respect.
Using PKA you may use self-signed certificates for S/MIME in the same
way as you use PGP keys. Yes, the security is limited by the DNS but
well, that is a problem another group needs so solve ;-)
So long as you stick to just one key for the entire domain, it
doesn't matter if it's DKIM or PGP. It still has some greatly
increased CPU requirements (because every single message passing
through the server will now have to be cryptographically signed,
which will increase the CPU server load by many orders of magnitude
per message), but at least it has the possibility of being scalable
I doubt that signing a message puts more load on a server than all the
spam filtering and virus scanning in use today.
DKIM and other methods are also quite computing intensive.
We did try this technique before -- it was called pgpsendmail,
and it cryptographically signed every message passing through the
system. It didn't work very well, and few people ended up using it.
Because the key distribution and validation of the keys was not solved.
Doing client-side signing and verification is definitely
scalable, but is difficult to get jump-started.
Thus start with server-side signing using one key per domain.
I don't think that's likely to happen any time soon. The
solutions which are easy to implement are non-scalable, and the
scalable solutions are much more difficult to implement.
DNSSEC does not scale? Okay, then DNS will eventually be useless.
DNS-CERT does not scale? The I* types will help to offload the keys.
PKA on a per user base does not scale? Well, this might be a problem
with millions of users per domain. I don't know for sure but I doubt
that, say, 64 extra bytes of user data makes any difference to these
providers.
Salam-Shalom,
Werner
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com