On Jan 12, 2006, at 11:56 AM, Michael Thomas wrote:
Eliot Lear wrote:
Mike,
I think it depends on the prevalence of DKIM and the parameters of
the reputation service, which is out of scope and cannot be
standardized.
I'm not suggesting it's in scope for anything here, just that as a
_threat_ it's akin to any other kind of threat of people doing
something Really Stupid(tm).
While this misuse of identifiers would be rather stupid, email
unfortunately is replete with Really Stupid(tm) tools. : (
In this particular case, it would be the threat of somebody in the
business that really ought not be if they can't understand why this
the wrong behavior.
This concern was raised as there are motivators for doing the Really
Stupid(tm) things. When this creates added revenue and redirects
complaints to other hapless entities, then Really Stupid(tm) may look
Really Clever(tm).
If this belongs anywhere, it's in a BCP.
This was being raised in the threat review for the consideration of
the use of "open-ended" affirmations used by SSP. Only allowing the
publishing of "closed" affirmations avoids this risk. SSP should
also be able to indicate that the record does not apply to sub-
domains for the same reasons.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org