----- Original Message -----
From: "Jon Callas" <jon(_at_)callas(_dot_)org>
What do you mean by an unauthorized signing, Hector?
Basically, the responsible domain property owner (Original Address) mail
policy expectations were violated in some form.
Maybe he did not expect any signing or signing by others or vice versa.
Perhaps I don't understand something, but if some unauthorized entity
owns my DNS and my outgoing MTAs, then I have network problems beyond
the scope of DKIM.
The idea being that in order to exploit an OA signature, as you
suggest, the OA network DNS server(s), database, assets, etc, would have to
exploited as well. This attack (equivalent to a "Theft of Private Key for
Domain" exploit) was deemed as a high impact, but with a low potential
(likelihood) in the TA (Threat Analysis).
However, the higher potential threat is with unauthorized 3rd party
signatures not involving an exploitation of the OA network, including
unauthorized OA spoofs or No Mail expectations.
The easiest example today, in our service, we get about 12% local domain
spoofing - remote systems using our local domain as the originating source.
We trap these. No other system should expect messages with our domain
coming into their system unless it is directly from us. This would be what
I would call unauthorized transactions.
Hector Santos, Santronics Software, Inc.
NOTE WELL: This list operates according to