Damon,
You're right. I meant the NO-MAIL policy in my paragraph below. To me,
the fundamental "natural laws" for DKIM or any SIGNING concept is:
- I ALWAYS SIGN THIS DOMAIN
- I NEVER SIGN THIS DOMAIN
- SIGNED OR NOT SIGNED, DO NOT EXPECT MAIL FROM THIS DOMAIN -
WE DON'T USE THIS DOMAIN FOR EMAIL. PERIOD.
- NO ONE BUT MY DOMAIN SIGNS (no 3rd parties)
- OTHERS CAN SIGN (Preferably from an authorized list)
It really has nothing to do with the validity of the signature. The
mere fact that one of the above may conflict with the domain
expectations is a protocol violation in itself.
And what is very important, which what DSAP was all about, they can all
easily happen naturally in practice directly and indirectly - hence a
security issue.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
Damon wrote:
The DKIM "Policies Concept" design MUST include a "I NEVER SIGN" or "NO
SIGNATURE" domain expectation concept as a requirement. This is a
fundamental protection for the otherwise unprotected DKIM-BASE signature
process and now that we are discussing wild cards and sub-domains, this
no-signature idea becomes even more prevalent.
--
Sincerely
Hector Santos, CTO
I hope someone can straighten me out on this because I am getting a
little confused.
There is a difference between "I Never Sign" and "I send no mail".
While I actually support BOTH, I didn't think that "I Never Sign" was
in question.
Is it?
Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html