Automatic key verification / CERT in DNS / RFC4398
scott at kitterman.com
Thu Apr 6 03:02:24 CEST 2006
On 04/05/2006 05:50, Werner Koch wrote:
> On Tue, 04 Apr 2006 14:24:18 +0200, Jeroen Massar said:
> > This all though leads to a concern on the placing of the CERTS. Having a
> That is not really a question. The new DNS based certificate (well,
> keyblock) capability of gpg is independent of the PKA system. Keys
> may still be stored on key servers (which are much better now than in
> the past) or on web pages or whereever one wants.
> Actually you can starting deploying such a system right now if you do
> it at the MTA and use just a key per domain. This will allow better
> verification of mails from potential phishing targets.
That's true. What I think is envisioned for a linkage from SPF is some
indication of whether to expect messages to be signed. The idea we are
exploring is to, in a new version of SPF, really take on the idea inherent in
the name, Sender Policy Framework and offer a method for domains to describe
their sending practices.
Relative to GPG signing, I can imagine that it might be useful to know that a
domain signs all messages so that an unsigned message can automatically be
deem to be suspicious, rejected, etc.
More information about the Gnupg-devel