ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIM and (eventual) IETF DKIM

2005-10-15 16:26:25
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Dave Crocker" <dhc(_at_)dcrocker(_dot_)net>
To: "IETF DKIM pre-WG" <ietf-dkim(_at_)mipassoc(_dot_)org>


Is it ok with folks to be required to replace essentially all of the
current software, administration and user deployment?


I'm not convinced there is sufficient installed base that should preempt
making DKIM work right, the "first time."

If you believe there is enough of a installed base that makes this a
problem, then we already have a problem because this perceived installed
base is insecured.

Put another way. This vendor is not going to support DOMAINKEYS and there is
no way we will implement DKIM without a SSP verification concept.   It will
be a waste of time and we will not put our customer base in jeopardy by
adding "ambiguous" verification ideas that have little to no value.  If this
world was just one vendor, we can make it work, but that is not the case.
We have to work with others.

We already have a growing problem of Social Engineering based phishing
issues with spammers borrowing "DKEY" domains suchs as YAHOO.COM and
GMAIL.COM with the bad actors knowing that they is a HUGE market of systems
not processing this information and if they were, these domains have NEUTRAL
like policies which makes the verifying system "throw up their hands" with
such yahoo and gmail mail, to the extent there is increasing local policy
discussions of outright blacklisting these domains.

So early adopters, who well knew in advance that the value of this work had
no meaningful value with by-far a non-compliant world, was incomplete and/or
was plagued with serious security issues, and only added this stuff for the
most part for marketing reasons, should not be, in my view, hurt the chances
of a very promising technology from being securely maximized when finally
deployed with a consistent SSP verification operational behavior expectation
across the board.

Note I am not suggesting a complete revamp. I don't think it is needed. I am
just saying that the idea that backward compatibility support for few
installations should not pre-empt "Getting DKIM right, the first time."

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIM and (eventual) IETF DKIM, Arvel Hathcock
Next by Date:  Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIMand (eventual) IETF DKIM, Arvel Hathcock
Previous by Thread:  Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIM and (eventual) IETF DKIM, Arvel Hathcock
Next by Thread:  Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIMand (eventual) IETF DKIM, Arvel Hathcock
Indexes:  [Date] [Thread] [Top] [All Lists]