On Thu, 08 Nov 2007 23:36:02 -0000, Hector Santos <hsantos(_at_)santronics(_dot_)com>
wrote:
They can make themselves look like cisco.com or any other HV domain and
with the obvious failure and t=y, how will verifiers react to this?
The SSP specs says to ignore the failed validation.
The bad guys will use this with the HOPE they can get one foot in the
door, in fact, verifiers might not even TRY to validate at all because a
t=y will trigger a "SKIP DKIM" concept.
Surely, t=y will be used in one of two scenarios:
1. Someone is intending to roll out DKIM, and is trying it out. He is not
sure whether he has implemented it right, so it may fail.
But in that case there will be no SSP record, or if there is one it will
say "we do not sign (yet)".
2. An existing DKIM user is rolling out a new algorithm. As before, he may
get it wrong and the signatures may fail.
BUT, if (as is likely) his SSP says "we sign everything", then he MUST
continue to sign with his old algorithm, in addition to the new one which
has "t=y" in it.
With those two provisos, the existing rule, to ignore any failed t=y
signature (as though there had been no signature) makes perfectly good
sense.
And, answering another point that was made, it may make good sense to
report back to the signer on t=y signatures that failed, so that he can
fix his bug. A t=y user can reasonably expect to receive such reports.
OTOH, without a t=y attempts to regularly report failures would amount to
harassment, and are a Bad Thing.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html