Scott Kitterman wrote:
On Thursday 27 July 2006 18:31, Jon Callas wrote:
If I use isp.example.com and they sign messages with my name and a
key (theirs
or mine, doesn't matter) and they also sign messages actually sent
by joe
spammer (another one of their customers) with my name and a key
(again,
theirs or mine), then it sucks to be me. That's the problem.
No, it doesn't suck to be you. The first letter of DKIM stands for
"Domain." It sucks to be example.com.
To clarify, by me, I meant my domain. The problem is that in this type of
scenario, there is no way to externally distinguish between mail actually
sent by the vanity domain owner and mail sent by another customer of
isp.example.com
I guess this means that isp.example.com is not worthy of your delegation
of signing authority to them, and you should shop elsewhere (find a more
reliable ISP, or sign your own messages). I think the ISPs will get it
right fairly quickly if they lose business as a result of not
authenticating mail submission properly (or otherwise fixing whatever
mechanism allowed Joe Spammer's message through).
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html