Wietse Venema wrote:
Could someone please explain the nature of the problem that would
exist when these (financial) institutions can't selectively add
DKIM signatures to outbound email? Engineering is about balance,
but I haven't heard enough to make the trade off yet.
See my note to John.
With per-user records in the DNS, should we not be worried about
brute-force attacks to guess email addresses?
Maybe. A better way to express this would be to phrase it as a requirement
and/or constraint on any solution that have this be a feature.
I'm also worried about the implied requirement that a DKIM verifier
would have to do SSP lookups even when a valid first-hand DKIM
signature exists.
I've actually implemented this feature from ssp-00 and it does not require
a SSP lookup if there's a valid first party signature. It's no different
than
the normal operation.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html