ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM expert group meeting for Dutch 'comply or explain' list

2011-06-23 08:07:48
from [Ian Eiloart] [Permanent Link] 

On 21 Jun 2011, at 19:47, Douglas Otis wrote:


On 6/17/11 1:05 PM, Rolf E. Sonneveld wrote:

Dear all,

after some off-list conversation with Dave he suggested I might want to
send this to the list. I apologize in advance if this message does not
apply to you. I also apologize if you get this message twice, when you
are subscribed to both ietf-dkim and the opendkim list.

[]

Regards,
/rolf


Hi Rolf,

The general goal of DKIM was to establish a domain relationship as a 
trust basis for acceptance.  DKIM was also to allow incremental 
deployment without requiring undefined additional filtering performed by 
mail transfer or mail user agents.  When essential format checks are 
skipped, this deficiency allows acceptance based upon DKIM's domain to 
be potentially deceptive where its results may play an evil role that 
cannot be repaired through the use of reputation.

Free email providers likely use DKIM to take advantage of their "too big 
to block" volumes.  For these domains, their reputation is understood to 
offer little assurance of their overall integrity.  By allowing a 
pre-pended From header field to not affect the validity of a DKIM 
signature according to the specification means the UNDERSTOOD source of 
a message can NEVER be trusted.

Those that phish by taking advantage of this flaw are unlikely to affect 
the acceptance of any exploited high volume domain.  DKIM could have 
avoided the offering of false assurances by not ignoring illegal header 
fields per RFC5322 and defining such messages as resulting in invalid 
signatures.  At this time, it would be prudent to NOT recommend use of 
DKIM due to this and a lack of required Fake A-label detection.


This seems like a completely bogus argument to me. You're saying that some 
domains can't be trusted, therefore none can be trusted. That's a logical 
fallacy. 

Sure, gmail.com can't be trusted because they'll sign even spoofed emails. So, 
my server won't be configured to give a pass to emails signed by gmail.com 
However, that doesn't mean that I can't be more lenient with respect to emails 
signed by, for example, subdomains of  .gov.uk, which might well be better 
managed.



-- 
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM expert group meeting for Dutch 'comply or explain' list, Douglas Otis
Next by Date:  [ietf-dkim] I-D Action: draft-ietf-dkim-mailinglists-12.txt, internet-drafts
Previous by Thread:  Re: [ietf-dkim] DKIM expert group meeting for Dutch 'comply or explain' list, Douglas Otis
Next by Thread:  Re: [ietf-dkim] DKIM expert group meeting for Dutch 'comply or explain' list, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]