Automatic key verification / CERT in DNS / RFC4398
julian at mehnle.net
Wed Apr 5 15:26:37 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Werner Koch wrote:
> On Tue, 4 Apr 2006 13:37:35 +0000, Julian Mehnle said:
> > What do folks -- especially the gnupg-devel ones -- think about using
> > SPF for that purpose? Are there any non-obvious fundamental issues
> > that need to be taken into account?
> I consider SPF far to complex to solve the simple goal of
> authenticating the source of an email. It does not stop spam, as
> this requires content filters and the jurisdiction and won't
> authenmticate the full message.
Let me say this in advance: I do NOT want to start a lengthy discussion
across several mailing lists about that. But I think there are a few
misconceptions to be clarified:
SPF does not aim to stop spam, it aims to stop forgery -- not necessarily
by directly doing the authentication itself (SPFv1 cares about the
envelope sender only, the next revision aims to do more than that). In
particular, SPF does NOT aim to replace DKIM or PGP, but to complement
them by giving domain owners the means to publicly specify their mail
sending policies in a standardized way.
(BTW, if you think SPF is "too complex", then you should take into account
that the SPFv1 spec is over 40 pages long only because it already includes
lots of lessons learned, security considerations, and other non-authorita-
> The goal of PKA is much simpler: Authenticate the From: header and
> allow the MUA or MTA to detected spoofed messages this way.
> The ability to do an opportunistic encryption using the PKA framework
> is just a very welcome side-effect.
It is exactly that side-effect of opportunistic encryption that SPF aims to
Is that support (i.e. the standardized means to publicly specify your
sending/signing policy) not something worth to be considered? If you
think that PKA already does the part _you_ want, then you may be missing
the fact that not every sender may choose PGP+PKA as their authentication
method, and that receivers may not want to check _all_ the methods out
there for a given message until they find one that actually authenticates
the message. SPF could act as an arbitrator for the various existing
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v22.214.171.124 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-devel