Re: [exim] support for domainkeys

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim User's Mailing List
Data:  
Para: David
CC: Exim User's Mailing List
Asunto: Re: [exim] support for domainkeys
[ On Thursday, September 23, 2004 at 22:31:00 (+0200), David wrote: ]
> Subject: Re: [exim] support for domainkeys
>
> yes, but ask all email users to starts using it, it will take lots
> of years to get a significant portion of them to use it. The other
> solution is to use pgp to sign the messages at the mta. In any case
> none of those solutions could be used before DAT, which does not
> solve the problem of bandwith used by spam.


Ah, but the crux of the issue is that the ISP cannot (and MUST NOT)
attempt to make claims about the identity of the end user (at least not
given the currently common way MUAs are integrated into the e-mail
systems we use.

End-to-end forgery can only be prevented if both ends use a secure
authentication (and encryption) mechanism.

> well, PGP cannot do anything about forgery for those millions of people
> who will never use it either, so we are in the same situation, well,


Except that PGP can be used by anyone who cares about avoiding forgery,
and it can be used transparently to the transport channel (i.e. without
need for co-operation, or permission, by the network or MTA operators)

SPF and PRA cannot be used by those who care about avoiding forgery.
Those mechanisms must be implemented by _all_ (or at least the vast
majority of) MTA operators before anyone can trust them at any level.

> it's more difficult to have all email users to use PGP than all isp's
> to use spf.


That's irrelevant. SPF and PRA _MUST_ be implemented by all MTA
operators before they can be useful whereas PGP can be used as needed
and where needed and without the support or permission of MTA operators.

Similarly use of PGP keys to determine the authenticity and trust level
of a connecting SMTP client could be started on an as needed, where
needed basis. SPF (and PRA) relies entirely on the good will of
_everyone_ else to match and honour your claims to which sending MTAs
can use your domain name. A web-of-trust model for assessing connecting
clients means you control the level of trust you have in a the sending
system without having to have an initial direct relationship with it.

- -- 
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>