Murray S. Kucherawy wrote:
-----Original Message-----
Alessandro Vesely
However, the other issue is to break or remove author domain
signatures. John has pointed this out since a long time, for FBL
reasons. Doug has brought out the same issue for replaying attacks
aimed at breaking reputation, because replaying is definitely out of
control in case of publicly distributed messages.
What's the danger of replaying legitimate mail, other than
to cause volume detection alarms to go off?
I think the issue is that we don't know what the assessors do, if
anything. We won't know how stripping or keeping broken signatures
will *warm* up these heuristic/reputation based assessors with
indeterminate DKIM messages.
BTW, it really has nothing to do with ADSP because it applies to
reputation services as well.
Here is a possible scenario:
A ISP begins to offer a 3rd signing service to its email hosting
domains, The ISP is intent to get its signing domain registered with
every known reputation and domain certification service bureau
existing or startups.
So I sign up (at $5, $10 extra per month or free perhaps) and now all
my mail is signed by the 3rd party ISP domain.
I forget about all that and one day I see this great list I want to
subscribe to. I do and unbeknowst to me, the list is blindly
resigning the mail.
Unless the LIST domain is part of the same "registration" the ISP did
with all the new reputation and domain certification services out
there, I now lost my $5, $10 value of using my ISP's 3rd party
signing service - thru this list stream.
Either way, it all goes back to a centralization concept of some form,
network of reputation services or a self-asserting DNS domain policy.
Until we have a understanding of how the many assessors will work,
separately or in concert, we have no idea how indetermine DKIM mail
will warm up these systems with stripped or kept broken signatures.
In the mean time, the better solution possible today is to allow the
self-asserting domain to declare it expectation and policies for mail
distribution if only for one reason - to maintain a high benefit of
1st party signatures while you guys figure out how LIST systems ought
to work.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html