-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff Rife wrote: > On 18 Aug 2004 at 13:20, [EMAIL PROTECTED] wrote: > >>> This then breaks forwarding, one of the advantages of DomainKeys >>> over SPF. >> >> How so? Email forwarding works, so long as the forwarding agent >> (say, forwarder.example.com) signs the forwarded email with their >> DomainKey. > > You haven't read the spec enough. To do this, the forwarder would > have to change the "From:" header. Although this is benign, this is > a type of forgery of the "From:" header, and forgery of the "From:" > header is what DomainKeys is supposed to stop.
This is true with the spec as it stands. But there are still ways around this if you're willing to alter the spec. For example, forwarding could be redefined to use MAIL FROM: [EMAIL PROTECTED] ... DATA FROM: [EMAIL PROTECTED] Then DomainKeys could be redefined to use the MAIL FROM: sender as the source of the DomainKeys lookup rather than the FROM: header. People worried phishing can add an "ALERT - this was really from [EMAIL PROTECTED], and not necessarily from [EMAIL PROTECTED]" to the body (AFTER verifying the DomainKey, of course.) The problem with both SPF and DomainKeys specs as they stand is that they tend to gloss over a lot of the messy details with a "there's probably a way around this..." A comprehensive solution does seem like it could be worked out, though - it's not *that* difficult, just takes a deal of thought and consultation with experts and open discussion and raising of points and (etc...) But the specs as they stand aren't mature enough. A solution *is* possible, even though the specs aren't (yet) it. Worst-case, everyone gets a PGP key, publishes the public key in DNS, and signs all outgoing mail. Then headers can be thrown around at will. Yes, I know that attachments aren't signed and the subject isn't signed etc. But the subject could be added to the message, so forgeries could be caught. And MD5 sums of the attachments could be included in the signed portions of the message, so forgeries could be caught (etc., etc... yes, I know there have recently been MD5 collisions discovered...) [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer -----BEGIN PGP SIGNATURE----- Comment: pub key http://matthew.vaneerde.com/pgp-public-key.asc iD8DBQFBJNzmUQQr0VWaglwRArv/AJsEHjnZccS2cSdRtwc2XWsdddmZaACg50Hg MNKuw/Eq1HVeNklLK1juS2E= =BtYD -----END PGP SIGNATURE----- _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
