Stephen Farrell wrote:
"Policies can be open or closed. Open policies define a set of
conformant messages and are silent about other messages. Closed
policies define the set of conformant messages and other messages
do not conform to the policy.
If a domain owner publishes an open policy, and if some "bad"
unsigned messages apparently emanate from that domain then the
domain owner's reputation may suffer.
Closed policies can disrupt practices such as posting to list
servers, use of e-invites, and other similar services.
If unsigned mail from domains with open policies is treated
any better on the basis that the policy exists, then bad actors
will search for open policies in order to select the value for a
falsified From header.
Searching for a policy statement may have a significant cost and
bad actors can select messages so as to maximise this cost in
an attempt at DoS.
Policy statements inherently expose information about the domain
to which the policy is intended to apply. Bad actors can use
this information to select values for inclusion in messages."
I think (not that confidently mind you) that those statements
are correct, and if so, could imagine a wordsmithed version
ending up in the threats draft. Be interested in what others
think.
Jim could copy it as is to his draft, I like it, no further
wordsmithing needed.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org