On Apr 28, 2006, at 4:13 PM, Hector Santos wrote:
There seems to be a "battle" of where DKIM is going to be implemented.
DKIM can be more rapidly deployed when verification is allowed to
take place at both the MTA and MUA. There should be no reason for
these goals to be in conflict. This "battle" seems resolved with a
definition of received time rather than current time, as pertaining
to timing constraints for the verification, and a recognition that
SMTP is not the only transport protected by the DKIM signature.
Doug, for what it is worth, DKIM is not going to succeed as a MUA
verifier solution only.
DKIM verification can take place at the MTA and the MUA. At the MTA,
obvious attempts at phishing is where DKIM will significantly improve
upon the false positives, and at allowing more aggressive detection.
Keep in mind such filtering is still reactive, whereas message
annotation of well-known domains at the viewing application is
proactive. These two locations for DKIM verification offer
different, valuable, and compatible benefits.
SMTP software will going to play a vital role here in controlling
mail pollution using the new level of information available to
them, one that is beyond legacy operations.
Obstacles created to impede acceptance will be expensive,
problematic, and affect legitimate senders far more than those intent
on abusing email. Allow DKIM to prove valuable at handling deceptive
messages, while not disrupting the way email is currently used.
So I hope I'm not reading you wrong here and that you want ALL SMTP
software to pass all failures to MUAs.
Over perhaps the span of many years it may become practical to
generally reject messages failing DKIM verification. Domains being
phished are already known by filtering products at the MTA, where
having these domains signing their messages should allow improvements
upon what is and is not rejected for this specific problem. A
general distribution of well-known domain lists utilized at the
viewing application will also afford a type of proactive protection
as well. DKIM will be of value at both locations, the MUA and MTA.
Obviously, when at the MUA, message annotation replaces message
rejection.
I can't speak for others, but it "ain't" going to happen in our
software. If we can detect DKIM failures, will be rejected by
default allowing the operators to decide for themselves. Again,
think Mail Pollution.
Either the body length mechanism is added by the signer to improve
upon the robustness of their message signatures, thereby improving
their acceptance, or there is absolutely _no_ value having this l=
mechanism.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html