On Sat, 2005-11-19 at 15:22 -0500, Hector Santos wrote:
You might have brow beating down Scott, but this is totally false because
the MTA can reject it before the MUA. It doesn't need a VISUAL presentation
or confirmation.
How is a look-alike domain rejected by comparing the From and signing-
domains?
The "broad" binding mode would offer the same ability to reject
messages at the SMTP session as would the SSP 'o=!' policy, but in
microseconds rather than seconds.
Your DKIM options a heavy reliance on SMTP caching information, a
centralized reputation database, threatens the security of internal User
Account databases, and relies on an unestablished protocol called CSV/CSA or
whatever the name of the month it has.
With this statement it is hard to decide where you have erred. While
indeed this binding strategy caches information, this is no different
than what is being done with DNS. In fact, DNS can be used as the
storage/retrieval mechanism as only domain names are required which can
be held in a zone. This caching strategy would also help in detecting
other types of attacks.
I don't know what security risk is created for user accounts. If
anything, the user could be notified by the provider when their system
has been compromised when opaque-identifiers are employed. Opaque-
identifiers are not essential for the binding strategy, but they would
reduce intra-domain spoofing.
I would consider DoS protection afford by CSV a totally separate issue.
Reputation of some sort remains an unfortunate fact of life, and is also
a totally separate issue.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org