----- Original Message -----
From: <Bill(_dot_)Oxley(_at_)cox(_dot_)com>
The new found unchecked DKIM junk will always be with us.
And if DKIM is expected to be adopted, those new found unchecked DKIM junk
numbers are expected to be high. Its quite simple:
DKIM-BASE RULE:
- Mail Has DKIM-Signature Header:
VALID --> PASS TEST
INVALID --> IGNORE/CONTINUE
- Mail has no DKIM-Signature Header:
CONTINUE
So you have two types of continues:
CONTINUE-DKIM-FAILURE
CONTINUE-LEGACY
Our problem in the SMTP industry is that we can not make heads and tails
with legacy operations.
DKIM helps raised the bar. Its a new level of expectations. If a message has
a "purported" signature, abeit a failed one, this is not a LEGACY
operations. This would be a new era of incredible and valuable information
that can be used to help protect the exploitation of domains. In short, it
is fundamentally illogically to suggest in the SMTP world:
CONTINUE-DKIM-FAILURE is equal to CONTINUE-LEGACY
DKIM base is not about determining acceptance policy, its about
identification of where the mail was handled last.
So its a TRACE system now?
SSP is an authentication methodology, not part of the base.
Hmmm I believe the technical model is closer to:
1) DKIM is an Authentication concept because it help validate
the integrity of the message object.
2) SSP is an DKIM signature Authorization policy concept.
The DNS server is your public central server. The idea is that the bad guy
does not have WRITE/DELETE access to your DNS KEYS. It has only READ
ACCESS. Having WRITE/DELETE acess would be a protocol flaw or threat.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html