Quoting Matthew Elvey (matthew(_at_)elvey(_dot_)com):
DK requires orders of magnitude more
work to adopt, though not as much as SPF+SRS.
Nod.
DK is about as reliant on blacklists/reputation services as other
proposals. Without them, CSV is not easier for a spammer to circumvent
than DK or SPF. They all require that something be put in a DNS entry
for a domain that costs approximately nothing to put there beyond the
cost of the domain itself. DKs aren't signed by CAs, remember.
Exploit: A spammer would have control of the DNS server for the
responsible domain, and a BotNet spamming node would spam with a valid
DK. The DK would be in the zombie worm that created the BotNet, or even
communicated via IRC.
So, I think DK is shown to be about as trivial to circumvent as the 40%
solution / CSV+++.
Unless I'm missing something I think its even easier to circumvent
and Yahoo! seems to agree:
6.5 Envelope audit
[ To be discussed: Identify the preconditions in the base document
that allow for envelope auditing to protect against replay and
joe-jobs ]
All that is signed is what is received by the signing MTA. Get a
Yahoo! throwaway account. Send email from Yahoo! to yourself at
another account. Strip headers added in transit and you have a DK
signed message that can be wrapped in a new envelope and it will
verify as signed by Yahoo!.
If widely adopted, DK or something like it might go a long way
towards stopping phishing. But the phisher can still register a
domain that looks like paypal.com, valued-paypal-customer.com, and
sign that himself and the naive user will still get sucked into the
fraud.
John Capo
Tuffmail.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg