A better approach to security

[Daniel Black <daniel AT cacert.org>]

On Mon, 5 Jan 2009 09:02:39 pm Alejandro Mery Pellegrini wrote:
> Daniel Black wrote:
> > Another use for certificates,
> >
> > http://mipassoc.org/pipermail/ietf-dkim/2008q4/010830.html
> >
> > feel free to contact the author with any comments. there are quite a few
> > in the thread too.
>
> I haven't tried dkim yet, but it seems a much more decent approach

it's a nice signature algorithm in a well designed verification method. The 
only shame is that mail lists like adding things like [CA cert] and hence 
breaking signatures.

> than the evil SPF.

bit of an overstatement. Its simple path verification that suffers the from 
the disadvantages that:
1. good spammers can forge it and
2. mail blind copy forwarding, which is a kind of spoofing, can cause issues.

if you worked the two together nicely you'd have it well
dkim - content checking works with blind forwarding that is broken by email 
lists
spf - passes email lists and breaks on blind forwarding

unfortunately its hard to deploy both checking in a A or B manner. Standards 
like http://tools.ietf.org/html/draft-kucherawy-sender-auth-header-19 will 
enable email validation to be independ of policy determinations that should 
make things better eventuall.

Personally I think DKIM is fine without X509 but everyone has to make a 
standard at some time to scratch their own itch.

-- 
Daniel Black (daniel AT cacert.org)
Email Administrator

Attachment: smime.p7s
Description: S/MIME cryptographic signature