On Nov 5, 2005, at 2:32 PM, Hector Santos wrote:
In my view, DKIM is essentially protecting the email message
transport
system.
But its not. It is protecting the domain. I can test everything
about DKIM
outside a transport system. I don't need SMTP to work it. It has
nothing to
do with 2821 parameters and I believe the closet property to a 2821
parameter is if a 2822.Sender header is included in the signature.
The signature verifies that the _message_ is associated with a
domain. This association does not require that an email-address
within the message contain this domain. The signing-domain is
unrelated to RFC2822 beyond being contained within a header and
verifying message content. Coupling DKIM with a domain assertion in
the EHLO verification allows a means to protect the transport from
being hijacked with a routing attack. This also provides a means to
fend-off a DoS attack in the midst of these types of attacks without
needing to block innocent domains. : )
See: 14. Domain Assertions for Signatures
http://www.sonic.net/~dougotis/id/draft-otis-mass-
reputation-03.html#anchor14
Attempts to force or coerce a blinding with the email message
transport system breaks many applications. A strong method to verify
the domain associated with the transport provides great value,
especially when an opaque-identifier is included. : )
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org