On Jan 31, 2006, at 2:51 PM, J.D. Falk wrote:
On 2006-01-31 08:30, Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
If I do not publish any key records and a bad actor whips up an
email purported to be from me with a fake signature attached, a
non dkim compliant mta may have a rule that states "signed
messages are probably okay" that might bypass some spam checking
software. Before DKIM is fully adopted/deployed expect to see this
happen,
1. As previously mentioned, anyone making reputation decisions
based on an unauthenticated DKIM signature will quickly learn (if
they're paying any attention at all) that they have made a mistake.
2. the "spammers have co-opted DomainKeys wtf omg" story was last
year:
http://www.eweek.com/article2/0,1759,1732576,00.asp?
kc=EWNKT0209KTX1K0100440
Re #2, the sky has not yet fallen.
By the same token, this story points out that basing reputations upon
an authenticated DKIM signature is also a mistake. Reputations can
only be based upon a "trusted" signing-domain. Once that trust is
lost, the domain becomes just another email source. Most ISPs should
be excluded from a trustworthy category. It may be possible to
establish trust more selectively within a normally untrustworthy
domain, provided there is a means to make explicit assurances that
sources are validated by the sender and marked as trustworthy. Such
assurances could prove useful for machine to machine communications,
for example.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org