On Jun 8, 2006, at 5:00 PM, Paul Hoffman wrote:
At 4:35 PM -0700 6/8/06, Jim Fenton wrote:
Let's try to construct the problem case: Suppose someone managed to
register _domainkey.com. They could then publish keys in that
domain,
and sign arbitrary messages on behalf of .com. That's obviously a
Bad
Thing.
Er, why? It is only bad if someone signs messages with "d=com",
which is unlikely.
Assume that a recipient expects to see the email-address validation
annotation. A bad actor that has obtained or compromised a key at
this location could then sign messages and recipients could see all
the email-address using *.com annotated as having be validated. This
validation, as currently defined in DKIM, is to be accepted.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html