spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: Fwd: Automatic key verification / CERT in DNS / RFC4398

2006-04-06 14:44:27
from [william(at)elan.net] [Permanent Link] 

On Wed, 5 Apr 2006, Werner Koch wrote:


DKIM just doesn't work - at least not as described in the I-D I am
aware of.  The canonicalization rules needed for MIME are broken


Can you explain in what way that is so?


and may be used to inject a faked message within a DKIM signed one.  The
recipient (or MTA) will see that the mail verified okay but the actual
content shown is the faked one.  See Thomas Roessler's "noswp
considred harmful"[1].


I think this is actually fixed in latest spec.


        And it shares most of the same problems in this respect with
DKIM, if you try to push DKIM to process data at the individual level
as opposed to the domain level.



        Very highly non-scalable.


I doubt that.  A PKA record like

 "v=pka1;fpr=A4D94E92B0986AB5EE9DCD755DE249965B0358A2"

can be squeezed into less that 32 bytes with a dedicated RR type.
I've tried to lobby (at DKIM and MASS lists) that fingerprints are much better suited (then full public key) for dns-based PKI system because of their fixed and small size many times. Unfotunetly people there due to political agreements are not interested in listening (yahoo insists on public key in dns as the only way or otherwise they would not participate).
BTW what you have above is pretty much what I listed at META Signatures specification. There it is actually using SPF as placeholder for finterprints, i.e. 
 v=spf1 ... fp1=A4D94E92B0986AB5EE9DCD755DE249965B0358A2


If you don't want to use general keyservers, add the space for an URL.
The latter may even be optimized by extending the system to define URL
shortcuts like looking up the default key distribution method of the
domain (e.g. by using HTTP).


Why bother? Just specify entire URL directly as part of the signature
itself. In DNS you just need to verify that the keyserver is authorized
to provide PKI info for that domain. That can be done with SRV record
or you can kind-of encode it directly as part of hostname, i.e.
 srv1._keyserv.domain.com
can be considered an authorized keyserver for domain.com because its
host in reserved subdomain of domain.com

---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] news sites: email to a friend, Stuart D. Gathman
Next by Date:  Re: [spf-discuss] RFC 4408 : HELO checking still just RECOMMENDED???, william(at)elan.net
Previous by Thread:  [spf-discuss] Re: Automatic key verification / CERT in DNS / RFC4398, Julian Mehnle
Next by Thread:  [spf-discuss] RFC 4408 : HELO checking still just RECOMMENDED???, Matthew Elvey
Indexes:  [Date] [Thread] [Top] [All Lists]