Henry Hertz Hobbit wrote: <SNIP>
As an aside, if you are concerned about DNS cache server poisoning, then take the IP address and stick it into the hosts file (make sure hosts come before DNS in the nsswitch.conf file in nix machines). If nothing else it stops the chatter happy Zone Alarm firewall from querying for its IP address every five seconds. The host / domain name has more than one IP address? randomly pick one of them. Check back that they are the same but not every five seconds. Try every six hours for a week or so until all the DNS TTLs have timed out. djbdns anybody? I am interpreting your statement as saying all of the people you will be sending to are only moderately interested in verification rather than paranoid, and that they will all be using Windows. Correct me if I am wrong. If the conditions are not these, the next statement has NO meaning. Now that we know a little better what you want to do (just one way verification of emails with them verifying you but not vice versa) you MAY be best served by using X.509. I really don't like the idea of that web verification scheme. Once you look at X.509 you will see that is better. I have had mail redirects in the past week from several universities, and one of them was from MIT! It is just too easy for Mallory to say "click on this link" to verify, and back we go to phishing 101. In other words, there is no substitute but for the people who are getting your messages to assume some of the responsibility for verification themselves. One of the key things in Bruce Schneier's security service are people monitoring what is going on. The people receiving your messages need to assume some of the responsibility themselves. HHH _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users