Mark Delany wrote:
On Wed, Jul 05, 2006 at 08:37:52AM -0700, Michael Thomas allegedly wrote:
It's my belief that DKIM selectors don't allow CNAME's. Am I correct?
First off, lets suppose DKIM's query mechanism were a lot like it is
today, but
the base mechnism didn't have CNAME's. Suppose that somebody proposed
that we should introduce them as a feature. What are:
[ the costs, risks, benefits ]
While interesting, as a practical matter, most verifiers would have to
go to extraordinary length to reliable detect CNAMEs so I think the
question is mostly moot unless it can be shown that there is a risk
unique to DKIM.
Well, here's one: DKIM often runs during the incoming SMTP conversation
with its inherent timeouts. Can attackers exploit that fact? What should a
developer do to minimize risk?
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html