On Sun, 6 Mar 2011, Stuart D. Gathman wrote:
Is this what you are thinking?
v=spf1 ?a:mail.6to4.com tls=smtp.example.com -all
Something like that, yes. Although it would probably need a bit more
complexity to be secure.
If we just use a domain name as a selector and rely on the same
certificate distribution as web browsers use, then we become vulnerable to
false certificates.
I remember (but can't seem to find online) a recent case where a
Repressive Regime forced a local ISP which happened to be an intermediate
CA, to issue false certificates so they could snoop connections to
various international sites.
To pull that off for the Web requires both the false certificate and the
capacity to be a man-in-the-middle at the IP level, and the latter is
harder to achieve. (TLS is still useful as a defense against entities
that can spy on but not alter traffic.)
But since we'd be doing this to compensate for a non-unique IP address,
the network-layer MITM isn't needed for a successful forgery.
In contrast, DKIM would give us the key management for free. A MITM that
could defeat DKIM (by inserting the attacker's key into the DNS results)
could also trivially defeat vanilla SPFv1 (by changing the SPF lookup to
"v=spf1 +all").
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/2183229-668e5d0d
Modify Your Subscription:
https://www.listbox.com/member/?member_id=2183229&id_secret=2183229-a7234b15
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?member_id=2183229&id_secret=2183229-98aa0fe6&post_id=20110308013150:BF273930-494D-11E0-BAE7-C8F4BD341941
Powered by Listbox: http://www.listbox.com