On Jan 25, 2006, at 6:44 AM, Frank Ellermann wrote:
Is the "likelihood HIGH" maybe a bit exaggerated ?
This represents a bit of a conundrum. The acceptance value of a
signature can not be high with a message replay abuse problem. The
message replay abuse problem will be high when the signature's
acceptance value is also high, but of course that would be
impossible. Likely, the signature may be used to excuse large
domains leaking abuse and discovered on block-lists, but that will
likely change when replay abuse becomes problematic. Just as issues
were raised about dealing with list-servers that do not implement
DKIM, using a DKIM-Adopters-List when deciding whether to sign a
message would tremendously reduce the number of broken signatures.
If part of DKIM is to overlay the signature parameter with a result
string at the edge of the AdmD, only domains controlled by bad actors
would permit the possibility of there being any replay abuse. Of
course, this would also indicate bad actors have not fully adopted
DKIM and should be removed from a DKIM-Adopters-List.
Another perhaps essential convention could demand that a DKIM-
Adopters-List also indicates the EHLO can be verified. This
convention can prevent DoS effects created by bad actors adding DKIM
signatures. Such a list and practice would greatly increase the
acceptance value of the DKIM signature and rule out bad actors with a
history of abuse. This would be rather straight forward to
implement, and perhaps offering this as a service would help promote
DKIM and ensure there are no problems later uncovered. The list
should be freely available. To support the list, a fee could be
charged to resolve abuse issues collected from a deposit for
registering. This would require a tracking and reporting scheme, but
much of that already is in place.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org