ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] SSP acceptance chart

2005-11-04 14:09:03
from [Douglas Otis] [Permanent Link] 

On Nov 4, 2005, at 12:13 PM, Hector Santos wrote:




You seem to be ignoring the new requirements inflicted by SSP where
the From header must be altered in thousands of applications to
introduce two addresses instead of the normal one.
So what you are saying that is it OK to spoof the From Header as long as the 
SENDER is authorized via CSA/DNA?
Not at all. There is a signing-domain centric method that can be used to establish acceptance criteria as opposed to email-address centric. Email-address centric risks unfair application of reputation. The criteria would be limited to that within the signing- domain. The signing-domain centric approach imposes fewer constraints and works far better with exiting practices and applications. The signing-domain centric approach offers a means for automatic limitations with respect to email-addresses, in a far more flexible manner than can be achieved otherwise. When captured on-the- fly, the signing-domain centric bindings also require far less overhead. : ) 



If the SENDER is authorized, why do we need DKIM again?
As I said, there are exploits reducing the quality of IP address based mechanisms. I see DKIM offering vital protection for the email message transport system. If the desire is to protect the author as determined by the From header, then per-user-keys handled at the MUA should be use instead, where perhaps a revocation scheme modeled after OpenPGP would also be a better choice. DKIM protecting the email message transport system would be simpler and safer. At the email message transport system level there would be less management needed and fewer systems involved, but only when SSP is completely and absolutely excluded. In other words, no email-address centric schemes allowed at the transport level! That would break things.
If DKIM fails, can we blacklist the authorized SENDER via DNSRBL or using 
Local Blacklist tables?
It would likely be a better option to report the event. Taking corrective action requires a fair amount of investigation with respect to possible causes.
Can DKIM and CSV and DNA co-exist separately? or do you need all three?
DKIM needs CSV-CSA for DoS protection. This aspect of possible threats has been largely ignored. : ( 


-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP acceptance chart, Hector Santos
Next by Date:  Re: [ietf-dkim] SSP acceptance chart, Hector Santos
Previous by Thread:  Re: [ietf-dkim] SSP acceptance chart, Hector Santos
Next by Thread:  Re: [ietf-dkim] SSP acceptance chart, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]