On Aug 24, 2005, at 3:39 PM, Tony Finch wrote:
On Wed, 24 Aug 2005, Douglas Otis wrote:
http://www.ietf.org/internet-drafts/draft-otis-mass-reputation-01.txt
See section 8. Abating the replay attack
I don't see where that talks about using the revocation ID to detect
forgery.
I should update this draft to include this aspect of the revocation-
identifier, while perhaps removing other items. The draft did not
provide details about this revocation-identifier with respect the
MUA. Since this draft, the SSP and DKIM drafts were published. The
recent suggestion was to consider the binding of the mailbox-address/
signing-domain/revocation-identifier by the MUA as an opportunistic
identification, rather than attempting less protective domain-wide
assertions by the SSP. With respect to DKIM, there would be an
advantage being able to recommend the scope of the bindings. I
envision two modes (mailbox-address/signing-domain/revocation-
identifier) or (mailbox-domain/signing-domain).
The MUA is able to associate visual items from prior correspondents
and obtain a higher granularity and history of signed message sources
without using any DNS lookups. When assuming legacy MUAs, scant
protections are possible by the MTA even using many DNS lookups. In
comparison, the MTA approach provides an alarmingly low level of
mailbox-address protections. There is also a potential for an
undesired exposure of mailbox-addresses in the i= parameter. SSP
may also impose support issues related to assertion restrictions that
would not exist when superior protections are implemented by the MUA.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org