[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Frank
Ellermann
Charles Lindsey wrote:
The folks supporting to list used algorithms in the SSP apparently
think that receivers could care about this nuance. And the folks
opposing that idea note that spammers would try to abuse this info.
Eh? This info is provided to counter a possible exploit. Nobody has
yet suggested that this extra info will open the way to yet further
exploits.
I'm too lazy to dig through the last 250 or so messages to
find the source (probably posted by John or Dave), but IIRC
the idea was this:
A signer publishes to support a new algorithm "rot13". If
spammers happen to know that certain receivers don't support
"rot13", they can forge (invalid) "rot13" signatures in
phishes to these receivers.
John introduced ROT13 but unless I am severely mistaken he was arguing that
this attack was unimportant.
My argument is that the attack is a very important one and that policy MUST
meet it.
Since I only see the need for two DKIM policy tags, DKIM meaning I always sign
and DKIM-TEST meaning I am testing my policy to see if it works, I don't see
why adding what is necessary here should lead to endless complaints about
over-complexity.
All we need to add here is DKIM=<selector-sufix>
The algorithm for verifying compliance with policy is only slightly more
complex.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html