On Jan 29, 2009, at 1:14 PM, MH Michael Hammer (5304) wrote:
Actually, at the risk of sparking even greater flurries of
electrons, it is not sender created, it is signer created.
Agreed.
Signer does not necessarily have to equal sender for DKIM base. This
is one of the reasons I tend to fall into the "d=" camp.
I see DKIM as requiring a two tier check. The first query would be to
determine whether any resources should be expended on the entity in
the d= value.
The second query would not directly relate to who originated the
message (the sender). After all, such questions are better answered
by S/MIME and Open/PGP. The second query might use the "i=" value to
resolve sub-reputations within larger domains.
Without being able to pose a secondary query, an effective means to
deal with replay abuse seems highly remote. Many of the larger
domains rate limit the messages that any user can send within some
period of time. DKIM messages that can be replayed will defeat a rate
limiting practice that is widely used to minimize the damage that 1%
of the accounts might be causing.
While resolving down to the "i=" value may seem like too much effort,
this would require less resources than what is likely required to
implement negative reputations for IPv6.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html