On Aug 23, 2005, at 12:24 PM, Tony Finch wrote:
http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/draft-fanf-
dkim-rationale.txt
4.1. Hostname (RFC 2821 EHLO)
I agree HELO is currently is not properly configured in many cases,
and RFC 2821 allows this situation.
HELO verification can permit DoS protections for DKIM, where there
could be a case for HELO verification to become a recommended step
for DKIM. HELO verification may utilize the same name acceptance
criteria as that of DKIM. The benefits from adding this step would
be elimination of reliance upon IP address acceptance criteria, and
mitigation of DKIM revocation and domain-wide assertion efforts.
HELO verification would involve the same effort as needed to lookup
an SSP record, where even the SSP record could also be supplanted.
It would also be helpful to include the concept of a non-mailbox-
address identity associated with the signing domain. This has been
called a revocation-identifier in the past. It may be described as a
type of domain-cookie, or opaque-identifier. It would permit a
revocation mechanism and enable opportunistic identifications that
could even detect cross-domain forgery without any mailbox-address
constraints being applied. There should be a caveat that when a key
is flagged as being delegated (currently not possible), then the
identifier would be derived from the key selector instead.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org