ietf-dkim
[Top] [All Lists]

[ietf-dkim] Default SSP Policy Lookup Method

2006-08-24 11:56:01
Phillip wrote:

* If no header is present then a key record can be obtained by
applying a given set of rules. (this is a powerful idea but the
complexity does not seem to be justified by the return).

Phillip,

This is all great, but no one is answering the fundamental question that
will stop bad actors from "indirectly" spoofing your domain.

By "Indirect",  I mean the bad actors who do not support DKIM,  probably
doesn't even have a clue about it or does but he sees the verifiers don't
check for policies so No Signature is the greatest loophole possible - a "do
nothing" concept on the part of the spammer!!   Its a wonderful discovery -
"I found the secret to defeat DKIM - Do nothing!"

If we don't address this, then the bad actors have 100% incentive to not
even try to circumvent DKIM.  They  don't need too.  Just don't sign mail or
even try to fake it.  Totally ignore DKIM.   We don';t even have incentive
for the "Good Spammers" to support DKIM.  They don't have too.

Solving this one, as you said, is a very poweful idea, and the solution,
IMO, is the basis for all other possible scenarios.

Complex?

I don't think so.  No, not really.  Not from my standpoint.

At the very least, it should be the 2822.From: since because in the end,
protecting the 2822.From Display field approaches the ideal maximum
protection that will be shown to the user and for that which we have been
seeking here.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>