Danger: Authenticating e-mail can break it (ZDNet)
There are two main ways of authenticating e-mail: Sender ID and DomainKeys Identified Mail, or DKIM. Backed by Yahoo and Cisco Systems, DKIM relies on public key cryptography. It attaches a digital signature to outgoing e-mail, so recipients can verify that the message comes from its claimed source. Sender ID is further along in adoption than DKIM. It requires Internet service providers, companies and other Internet domain holders to publish SPF (Sender Policy Framework) records to identify their mail servers. This usually does not require new hardware or software; the most arduous part is doing an inventory of mail servers and the subsequent maintenance of that record."
Posted Apr 21, 2006 8:12 UTC (Fri)
by pheldens (guest, #19366)
[Link] (2 responses)
Posted Apr 21, 2006 11:09 UTC (Fri)
by climent (guest, #7232)
[Link] (1 responses)
DomainKeys allows a mail sender to implement both the signature of the email (on the outgoing server) and publish the public key that will be used for mail verification in the DNS server.
Posted Apr 22, 2006 11:47 UTC (Sat)
by dd9jn (✭ supporter ✭, #4459)
[Link]
Posted Apr 21, 2006 17:23 UTC (Fri)
by pflugstad (subscriber, #224)
[Link]
Yup:
<http://en.wikipedia.org/wiki/SenderID>
and:
<http://www.apache.org/foundation/docs/sender-id-position....>
What's wrong with regular pgp/gpg signing?Danger: Authenticating e-mail can break it (ZDNet)
That your bank does not use it?Danger: Authenticating e-mail can break it (ZDNet)
And you can easily use an already signed mail and change the body without anyone able to check this. Same goes for DKIM, which actually signs the whole message but has severe flaws in the protocol so that it is easy to inject a faked message.Danger: Authenticating e-mail can break it (ZDNet)
IIRC Microsoft owns some key patents w.r.t. SenderID...Danger: Authenticating e-mail can break it (ZDNet)