Let's move this thread back to srs-discuss...
On Fri, Feb 27, 2004 at 06:40:20PM -0500, Meng Weng Wong wrote:
| On Fri, Feb 27, 2004 at 11:14:38PM +0000, David Woodhouse wrote:
| |
| | I'm currently experimenting, as I believe I already mentioned, with SRS
| | on my _own_ outgoing mail, coupled with rejecting bounces to my 'raw'
| | email address.
|
| I'm calling this SES, for Signed Envelope Sender.
|
| If you take a step back you'll see it's the logical extension of a
| pattern that goes like this:
|
| signature in the message body, unstructured: PGP mark 1
| signature in the message, structured in MIME: S/MIME
| signature in the message headers: Domainkeys
| signature in the envelope: SES
|
| It's a little bit like VERP and and TitanKeys and TMDA, except that the
| tags aren't just plaintext but are cryptographically generated with a
| secret.
|
| So you don't have to worry about forgery; you just have to keep the
| secret safe.
|
| But you do have to worry about replay attacks.
|
| If a spammer gets their hands on your SES address, they can forge that
| address in spam, and implicate you, and we're back where we started.
| Except, of course, that if your MTA possess some alacrity, and if
| receiver MTAs are dutifully holding up their end by doing CBV, then you
| have some chance of invalidating the address before it gets used too
| widely.
|
| So the pros and cons can be debated; it requires more adoption by a
| different sector, the sender MTAs and ISPs; but that may not be so bad.
|
| -------
| Sender Policy Framework: http://spf.pobox.com/
| Archives at http://archives.listbox.com/spf-discuss/current/
| Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
| Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
| To unsubscribe, change your address, or temporarily deactivate your subscription,
| please go to http://v2.listbox.com/member/?listname=spf-discuss-B7dvP5mc3PhiK979QBapAg@public.gmane.org
On Fri, Feb 27, 2004 at 06:40:20PM -0500, Meng Weng Wong wrote:
| On Fri, Feb 27, 2004 at 11:14:38PM +0000, David Woodhouse wrote:
| |
| | I'm currently experimenting, as I believe I already mentioned, with SRS
| | on my _own_ outgoing mail, coupled with rejecting bounces to my 'raw'
| | email address.
|
| I'm calling this SES, for Signed Envelope Sender.
|
| If you take a step back you'll see it's the logical extension of a
| pattern that goes like this:
|
| signature in the message body, unstructured: PGP mark 1
| signature in the message, structured in MIME: S/MIME
| signature in the message headers: Domainkeys
| signature in the envelope: SES
|
| It's a little bit like VERP and and TitanKeys and TMDA, except that the
| tags aren't just plaintext but are cryptographically generated with a
| secret.
|
| So you don't have to worry about forgery; you just have to keep the
| secret safe.
|
| But you do have to worry about replay attacks.
|
| If a spammer gets their hands on your SES address, they can forge that
| address in spam, and implicate you, and we're back where we started.
| Except, of course, that if your MTA possess some alacrity, and if
| receiver MTAs are dutifully holding up their end by doing CBV, then you
| have some chance of invalidating the address before it gets used too
| widely.
|
| So the pros and cons can be debated; it requires more adoption by a
| different sector, the sender MTAs and ISPs; but that may not be so bad.
|
| -------
| Sender Policy Framework: http://spf.pobox.com/
| Archives at http://archives.listbox.com/spf-discuss/current/
| Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
| Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
| To unsubscribe, change your address, or temporarily deactivate your subscription,
| please go to http://v2.listbox.com/member/?listname=spf-discuss-B7dvP5mc3PhiK979QBapAg@public.gmane.org