----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
To: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
The "invalid" flag is not needed, but Hector will want to be able to
list who signs even when the 2822.From is not validated.
Ok, I really don't care how you guys do it.
The bottom line is that DKIM-BASE is unprotected and fails to answer the
o Does the domain ever distribute mail?
o Do you expect the mail to be unsigned?
o Do you expect to sign all mail?
o Is your domain the exclusive signer?
o Are 3rd party signers or signatures allowed?
o Are 3rd party signers allowed to strip your original signatures?
I don't take away anyone else experiences, but I got 30 years of designing
multi-million dollars commercial products for corporations and for my own
business, with an sound expertise in software engineering, process control,
automation, simulation, fault analysis and foremost problem solving. Never
mind all the mail design experience I have as well. It doesn't take me very
long to see what the problems are going to be with a proposal such as
DKIM-BASE, where the exploitations will be, and while I keep in mind a
conservative considerations, what "feasible" solutions make work.
I think the above are very feasible "doable" design questions. Solve the
above questions with whatever protocol methods you like and I believe very
strongly DKIM will be very successful.
If there are things I don't see, I accept that. I would like to know what
they are thought. But from I've seen in the last 2 years or so, in my
anti-spam project research sabbatical? For DKIM-BASE, it needs an SSP
protection layer with the above minimum questions resolved. I can not in
good-faith see DKIM-BASE be "safe" when released into the wild without some
signature authorization protection.
Hector Santos, Santronics Software, Inc.
NOTE WELL: This list operates according to