Automatic key verification / CERT in DNS / RFC4398

Julian Mehnle julian at mehnle.net
Wed Apr 5 15:26:37 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Werner Koch wrote:
> On Tue, 4 Apr 2006 13:37:35 +0000, Julian Mehnle said:
> > What do folks -- especially the gnupg-devel ones -- think about using
> > SPF for that purpose?  Are there any non-obvious fundamental issues
> > that need to be taken into account?
>
> I consider SPF far to complex to solve the simple goal of
> authenticating the source of an email.  It does not stop spam, as 
> this requires content filters and the jurisdiction and won't
> authenmticate the full message.

Let me say this in advance: I do NOT want to start a lengthy discussion 
across several mailing lists about that.  But I think there are a few 
misconceptions to be clarified:

SPF does not aim to stop spam, it aims to stop forgery -- not necessarily 
by directly doing the authentication itself (SPFv1 cares about the 
envelope sender only, the next revision aims to do more than that).  In 
particular, SPF does NOT aim to replace DKIM or PGP, but to complement 
them by giving domain owners the means to publicly specify their mail 
sending policies in a standardized way.

(BTW, if you think SPF is "too complex", then you should take into account 
that the SPFv1 spec is over 40 pages long only because it already includes 
lots of lessons learned, security considerations, and other non-authorita- 
tive stuff.)

> The goal of PKA is much simpler: Authenticate the From: header and
> allow the MUA or MTA to detected spoofed messages this way.
> 
> The ability to do an opportunistic encryption using the PKA framework
> is just a very welcome side-effect.

It is exactly that side-effect of opportunistic encryption that SPF aims to 
support.

Is that support (i.e. the standardized means to publicly specify your 
sending/signing policy) not something worth to be considered?  If you 
think that PKA already does the part _you_ want, then you may be missing 
the fact that not every sender may choose PGP+PKA as their authentication 
method, and that receivers may not want to check _all_ the methods out 
there for a given message until they find one that actually authenticates 
the message.  SPF could act as an arbitrator for the various existing 
authentication methods.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEM8WOwL7PKlBZWjsRArGYAJ404uYC5ifZyJCTP6ZvvVHnPP56iQCeNDTr
Q1JErdzYRDbDM9I0ya/6cNU=
=i1jf
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list