Automatic key verification / CERT in DNS / RFC4398

Scott Kitterman scott at
Thu Apr 6 03:02:24 CEST 2006

On 04/05/2006 05:50, Werner Koch wrote:
> On Tue, 04 Apr 2006 14:24:18 +0200, Jeroen Massar said:
> > This all though leads to a concern on the placing of the CERTS. Having a
> That is not really a question.  The new DNS based certificate (well,
> keyblock) capability of gpg is independent of the PKA system.  Keys
> may still be stored on key servers (which are much better now than in
> the past) or on web pages or whereever one wants.
> Actually you can starting deploying such a system right now if you do
> it at the MTA and use just a key per domain.  This will allow better
> verification of mails from potential phishing targets.
That's true.  What I think is envisioned for a linkage from SPF is some 
indication of whether to expect messages to be signed.  The idea we are 
exploring is to, in a new version of SPF, really take on the idea inherent in 
the name, Sender Policy Framework and offer a method for domains to describe 
their sending practices.

Relative to GPG signing, I can imagine that it might be useful to know that a 
domain signs all messages so that an unsigned message can automatically be 
deem to be suspicious, rejected, etc.  

Scott Kitterman

More information about the Gnupg-devel mailing list