----- Original Message -----
From: "Stefan Görling" <stefan(_at_)gorling(_dot_)se>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Friday, August 11, 2006 9:10 AM
Subject: [ietf-dkim] A question about DKIM and Phishing
Hi,
"With DomainKeys, the absence of a verifiable digital signature
header in an E-mail purporting to be from a domain which has
a DomainKeys DNS record may indicate that that E-mail is a
forgery. Thus, E-mails may be divided into three classes:
* valid DomainKey signature: authentic
* invalid or missing DomainKey signature for a domain with the DNS
record: usually forged
* no DNS record or header: unknown status"
As I have understood it, you can not really find the
DomainKey-DNS-record unless you know the selector, which
you do not really unless you have a domainKey signature. Is
this correct or have I misinterpreted the drafts?
Your deduction is correct. Dr. Watson. :-)
See section 3.6.2 describing sender domain policies using an optional DNS
policy record found by using the domain name with the prefix _domainkey.
_domainkey.example.com
Then lookng for the "o=" tag, if any to extract the expected signing
practice.
In short, to be effective, you have to lookup the policy to see what is
expected by the domain. Domainkeys has two policies:
o=- domain signs all mail
o=~ domain somethings sign mail (default)
It is similar to the current DKIM Policy discussions here, regarding the
need to find the policy expectation for signing when the signature is not
there, or there and not expected, and other policy inconsistency
considerations.
DKIM is the child of DomainKeys (Yahoo) + IIM (CISCO).
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html