Douglas Otis:
On Sep 6, 2006, at 4:38 PM, Wietse Venema wrote:
Jim Fenton:
The aspect of user-level SSP that concerns me equally is the
transaction load. When user-level SSP is "turned on", the
verifier MUST query for a user-level record in addition to the
domain-level record. User-level queries are not as effectively
cached, since these are queries for individual addresses, not
domains.
Could someone please explain the nature of the problem that would
exist when these (financial) institutions can't selectively add
DKIM signatures to outbound email? Engineering is about balance,
but I haven't heard enough to make the trade off yet.
An institution that signs all their messages may wish to restrict
No offense intended, but I had hoped that someone else could answer
the question, instead of the one voice that I hear advocating this
item several times a day.
With per-user records in the DNS, should we not be worried about
brute-force attacks to guess email addresses?
Why? The signature must be valid and the email-address must be
assured to be valid. How is the email-address susceptible?
I can answer that. Exploitation of the mapping from recipient
address to DNS record name, by the application of brute force.
I expect that hammering a DNS server would be much faster and much
stealthier than hammering an SMTP server.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html