On Mon, 31 Jul 2006, wayne wrote:
In
<20060731150944(_dot_)11804(_dot_)qmail(_at_)snake(_dot_)corp(_dot_)yahoo(_dot_)com>
Mark Delany <MarkD+dkim(_at_)yahoo-inc(_dot_)com> writes:
On Mon, Jul 31, 2006 at 09:59:19AM -0400, Bill(_dot_)Oxley(_at_)cox(_dot_)com
allegedly wrote:
The statement that I sign only my own mail makes perfect sense.
If I have a message with your valid 3rd party signature, meaning that
you've published the key, and your SSP says you sign only your own mail,
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
I'm with John on this. I don't see any merit in constructing a system
that allows anomalies soley for the purpose of giving a receiver less
certainty and more work to do.
+1
print "-1\n" while +1;
This is much like the reason I don't like stuff in the rDNS that
indicates that "this machine should never send email". If you want
that policy, do port 25 blocking. Don't make the rest of the world
try to figure out whether you screwed up on your security or you
screwed up on you published policy. And, have to do that all after
receiving the traffic.
My ISP operational & experience is that just filtering on outgoing side
is not enough and eventhough you try to do the right thing the eventually
your system will get compromised in some way and there needs to be a
backup plan that takes over. So there is nothing wrong with policy
record that says I don't sign emails at all or I don't sign somebody
elses email. And if receivers believe this policy is not useful and
not necessary of course they will just not check for it or ignore it.
[OT to this WG list follows]
For port25 blocking outside is also true that many ISPs are just not
willing to filtering on their outgoing network end (for various
reasons some having to do with legal agreements) but may well be
willing to mark their network as part of adding PTR records. This is
also OT to this group but after some time I came to conclusion that
if we have PTR email policy records, we should not allow easy way
to add them to entire ip block and should instead force to add record
for each ip address in the same way they'd do it when adding PTR.
This is to make sure ISPs actually are maintaining it all properly.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html