spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Re: Automatic key verification / CERT in DNS / RFC4398

2006-04-06 03:48:43
from [Werner Koch] [Permanent Link] 
On Wed, 5 Apr 2006 20:03:46 -0500, Brad Knowles said:


      Keep in mind that relatively few people use any kind of personal 
encryption at all, and most that do make use of S/MIME instead of PGP 
or GPG, because S/MIME is what is provided by default from Microsoft 


The problem with S/MIME is that you can't create a usabable
certificate for yourself.  You have to hand over a lot of money to
a more or less trustworthy CA with no real benefit.  OpenPGP may be used
much easier in that respect.

Using PKA you may use self-signed certificates for S/MIME in the same
way as you use PGP keys.  Yes, the security is limited by the DNS but
well, that is a problem another group needs so solve ;-)


      So long as you stick to just one key for the entire domain, it 
doesn't matter if it's DKIM or PGP.  It still has some greatly 
increased CPU requirements (because every single message passing 
through the server will now have to be cryptographically signed, 
which will increase the CPU server load by many orders of magnitude 
per message), but at least it has the possibility of being scalable 


I doubt that signing a message puts more load on a server than all the
spam filtering and virus scanning in use today.

DKIM and other methods are also quite computing intensive. 


      We did try this technique before -- it was called pgpsendmail, 
and it cryptographically signed every message passing through the 
system.  It didn't work very well, and few people ended up using it. 


Because the key distribution and validation of the keys was not solved.


      Doing client-side signing and verification is definitely 
scalable, but is difficult to get jump-started.


Thus start with server-side signing using one key per domain.


      I don't think that's likely to happen any time soon.  The 
solutions which are easy to implement are non-scalable, and the 
scalable solutions are much more difficult to implement.


DNSSEC does not scale?  Okay, then DNS will eventually be useless.

DNS-CERT does not scale?  The I* types will help to offload the keys.

PKA on a per user base does not scale?  Well, this might be a problem
with millions of users per domain.  I don't know for sure but I doubt
that, say, 64 extra bytes of user data makes any difference to these
providers.




Salam-Shalom,

   Werner

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: Automatic key verification / CERT in DNS / RFC4398, Julian Mehnle
Next by Date:  [spf-discuss] Fwd: Automatic key verification / CERT in DNS / RFC4398 (Was: [Announce] GnuPG 1.4.3 released), Brad Knowles
Previous by Thread:  [spf-discuss] Re: Automatic key verification / CERT in DNS / RFC4398, Julian Mehnle
Next by Thread:  [spf-discuss] Re: Automatic key verification / CERT in DNS / RFC4398, Harakiri
Indexes:  [Date] [Thread] [Top] [All Lists]