John Robinson wrote: > On 07/11/2007 16:36, Dean Brooks wrote: >> On Wed, Nov 07, 2007 at 03:54:42PM +0000, John Robinson wrote: >>> [...] I'd have thought that sending to MX with >>> TLS, offering a real certificate, would be a good way of saying "yes I >>> really am who I say I am". Now if one could say in one's SPF records "I >>> have a real cert" we'd be a long way towards sender authentication, >>> wouldn't we? >> Problem is, you don't have to have a CA authority sign your TLS >> certificate. Anyone can self sign and TLS will accept it. > > Unless the recipient were to decide he liked CA-signed certs. This is > what I'm angling towards. > >> DomainKeys is closer to that idea though. > > I know, but SSL/TLS with CA-signed certs are well-understood and already > well-supported in MTAs (including exim, of course). Why not use them for > sender authentication? I know nobody does but what's the rationale in > favour of DKIM et al over my suggestion? > > Cheers, > > John. > >
That's an easy one. Most of the public CA's are whores. Verisign at the head of the line. They'll sell a cert to anyone. Pull all the CA's from a browser and suddenly notice that ads.doubleclick.net and a zillion others have been using publically signed certs off the brower's default CA set to quietly slip under your filters for years. Not that I think DKIM is worth a Massachusetts, either... If I could only have ONE tool - it's lack of a PTR RR. Fortunately, we have many tools. Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
