Automatic key verification / CERT in DNS / RFC4398

Werner Koch wk at gnupg.org
Wed Apr 5 14:44:28 CEST 2006


On Tue, 4 Apr 2006 13:37:35 +0000, Julian Mehnle said:

> What do folks -- especially the gnupg-devel ones -- think about using SPF 
> for that purpose?  Are there any non-obvious fundamental issues that need 
> to be taken into account?

I consider SPF far to complex to solve the simple goal of
authenticating the source of an email.  It does not stop spam , as
this requires content filters and the jurisdiction and won't
authenmticate the full message.

Agreed, neither OpenPGP nor S/MIME will authenticate the header
(e.g. the Subject) but there are easy ways to do this within the
existing framework: Just wrap the entire message into a message/rfc822
container and sign it.  A MUA may then properly indicate what has been
signed.

The goal of PKA is much simpler: Authenticate the From: header and
allow the MUA or MTA to detected spoofed messages this way.

The ability to do an opportunistic encryption using the PKA framework
is just a very welcome side-effect.


Shalom-Salam,

   Werner




More information about the Gnupg-devel mailing list