On Wed, 5 Apr 2006 02:17:43 -0500, Brad Knowles said:
Can we start doing automatic key verification for mail !?
See DKIM.
DKIM just doesn't work - at least not as described in the I-D I am
aware of. The canonicalization rules needed for MIME are broken and
may be used to inject a faked message within a DKIM signed one. The
recipient (or MTA) will see that the mail verified okay but the actual
content shown is the faked one. See Thomas Roessler's "noswp
considred harmful"[1].
And it shares most of the same problems in this respect with
DKIM, if you try to push DKIM to process data at the individual level
as opposed to the domain level.
Very highly non-scalable.
I doubt that. A PKA record like
"v=pka1;fpr=A4D94E92B0986AB5EE9DCD755DE249965B0358A2"
can be squeezed into less that 32 bytes with a dedicated RR type. If
you don't want to use general keyservers, add the space for an URL.
The latter may even be optimized by extending the system to define URL
shortcuts like looking up the default key distribution method of the
domain (e.g. by using HTTP).
And don't forget that an URL in the PKA record has the additional
benefit of allowing for opportunistic encryption.
Salam-Shalom,
Werner
[1]
http://www.mhonarc.org/archive/cgi-bin/mesg.cgi?a=ietf-mailsig&i=20050720080547.GA8239%40raktajino.does-not-exist.org
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com