On Sun, 2006-01-22 at 18:57 +0100, Frank Ellermann wrote:
Douglas Otis wrote:
The DKIM signature however indicates the AdmD providing
initial access and not just the last hop.
Your X + Z example sounded like Z getting X's newsletters
directly (MON X to MRN Z).
This example was illustrate the futility of handling a replay abuse
issue on an email-address bases. The example could have used an email-
address from any domain. The point to be made was that this issue can
be resolved on a domain basis when incoming signatures are overlaid with
a result and where an MDA signature can be added for protection within
the MDA AdmD. The MDA could also simply strip overlaid signatures not
overlaid by the MDA. This would provide roughly the same poor level of
security as would adding a results header.
For that case reducing it to the one critical hop where one of X's
MTAs determined one of Z's MXs is an obvious solution, they should
definitely use SPF or CSV or similar if they want to know "does that
MTA claiming to be X really belong to X ?"
Not exactly, this is about protecting the signature. The use of DKIM-
Abuse-List mirrors a similar lists when receiving, where CSV could be
used to offer a name basis. This proposal is about where to send the
signed message. The value of DKIM is that it provides greater assurance
of the message source. CSV provides the last hop which will will
require greater administrative effort to correlate common sources.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org