ietf-dkim
[Top] [All Lists]

Re: creeping i= (was RE: [ietf-dkim] Responsibility vs. Validity)

2007-12-13 01:52:47
J D Falk wrote:
Jeff Macdonald wrote:

  
I'm a bit behind on this but:

On Thu, Nov 29, 2007 at 03:43:55PM -0500, J D Falk wrote:
    
I agree, that would be extremely helpful -- but DKIM's i= won't give
      
it
  
to us.  (Unless you're assuming that these same botnet operators will
allow themselves to be corralled into a single identifer, which
      
clearly
  
isn't the case.)
      
this thinking needs to be applied to d= too. And once you do that,
then the logical conclusion (well, to me :)) is that d= isn't any
better as an identifier.
    

A bad guy buying another domain name is a threat we already have to deal
with today.  It's not a high barrier, but it is a barrier.

The same bad guy having an infinite number of entirely distinct i=
identities at each of those domains would be a new threat, equal to
forging the From: header -- and the obvious conclusion will be to ignore
i= and instead concentrate on d= (along with other reputation inputs.)
  

The bad guy can still create subdomains and publish keys there:  Create
a key under foo._domainkey.sub.example.com and they can sign with s=foo;
d=sub.example.com.  In other words, using d= doesn't get away from being
able to create a whole bunch of entirely different identifiers. 
Creating key records is really cheap.

This is part of the reason that I consider d= to be just the location
where the key is stored, and nothing more than that.
But since this is about reputation, it's out of scope.
  

Sure enough.

-Jim
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>