Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In short -- saying "I sign everything" with a non-existent or bogus
key is the same thing as saying, "You'll never see a valid one of
these."
The problem is DKIM-BASE mandate of
'IGNORE FAILURES'
By having an implicit "NO MAIL" policy as the original SSP specs had as
well as DSAP, it clearly marked the very strong policy concept of what
the DOMAIN expected.
In other words, saying "I signed Everything", failed mail does not
protect the domain from a exploited domain that should had NEVER been
used in the first place.
If we are willing to fold the failed "I signed Everything" transactions,
as a clear rejectable transaction, then you are right. It can work, but
it a WEAKER statement with some "possibility" for false positive. With
a NO-MAIL policy, you have 100% NO FALSE positives.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html