Re: [exim] MARID, SPF, DomainKeys, SenderID ?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim User's Mailing List
Datum:  
To: David
CC: Exim User's Mailing List
Betreff: Re: [exim] MARID, SPF, DomainKeys, SenderID ?
[ On Thursday, September 23, 2004 at 19:16:13 (+0200), David wrote: ]
> Subject: Re: [exim] MARID, SPF, DomainKeys, SenderID ?
>
> I've been also thinking about it after i saw some email messages with
> a PGP-Signature header. It will be easy to add a special header with
> a PGP signature added by the mta (isp) and check it. This is close to
> DomainKeys but as you noted it bennefits of the existing
> infraestructure. Nevertheless this requires to accept the whole message
> body before any decision could be taken, which solves only a part of
> the spam problem. A method to take decisions before DATA is also need
> to address the bandwith usage problem.


No, no, nothing in the headers is relevant in the way I'm thinking of it
and that's fundamentally critical to the efficiency and effectiveness of
my proposal, especialy w.r.t. its goal of being able to totally stomp
out all unwanted junk from untrusted sending systems.

End-to-end authentication, integrity, (and privacy) would still be done
with MUA-level tools such as the existing PGP (or S/MIME).

What I've been proposing is at the MTA-to-MTA connection level _only_.

Indeed it could possibly be done completely transparently to SMTP -- the
MTA would simply use the client's (source) IP (and/or the hostname
resolved from its PTR) to look up a PGP key for the client. The trust
level of that key would determine whether or not the connection was
allowed or allowed with restrictions (e.g. adding "tag" headers to warn
the user and any compatible MUA applications).

However it would also be sensible to add an ESMTP command similar to
STARTTLS that would present a PGP key for verification and analysis.

Both mechanisms would be necessary to get any initial penetration and
critical mass.

I.e. I'm not talking about anything to do with data integrity or privacy
- -- simply a secure means of assessing the level of trust one has in the
connecting client using an entirely existing web-of-trust style key
infrastructure.

Except for the S.M.O.P. those of us who have relatively few trusted SMTP
peers could start using it yesterday.

- -- 
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>