ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: New DKIM threat analysis draft

2005-10-13 13:58:35
On October 13, 2005 at 10:39, Frank Ellermann wrote:

DKIM is no FUSSP

I think no one is claiming it is.

there will be legit domains that don't use
DKIM for at least years.  The bad actors would then forge its
addresses, sign it with their own throw-away domains, and naive
users (5.1 + 6.2) could then erroneously "think" that they got
a PASS "for" the forged identity.

This ties back to past threads on the SSP part of DKIM and what
the default assumptions are when no SSP records are defined for a
given domain.

So far that's 100% the same as SPF.  Maybe you should mention
that DKIM can be checked everywhere (not only at the "border")
as long as nobody manipulates the DATA.  Resulting in a minor
"threat" of FPs behind many mailing lists => users intending
to act on invalid signatures should white list these lists.

DKIM operates independently of the transport layer.  It is not
dependent on SMTP, allowing DKIM to be applicable for messages
transmitted by other protocols.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org