On Mar 11, 2009, at 1:26 PM, Michael Thomas wrote:
Steve Atkins wrote:
If there were another field in the DKIM-Signature header, or an
entirely separate email header covered by the DKIM signature, that
stated "all email sent using this domain in the From field will be
DKIM signed" then any receiving MTA or MTA cluster could keep track
of that state (probably using their existing reputation tracking
system in the case of large receivers, and using a fairly trivial
extension to their DKIM plugins in the case of smaller ones).
If nothing else, this would make revocation sort of... bizarre
and unpredictable. The implication is that I'd have to send $you
mail (for $you == 'universe') to get you to nuke my record in your
database. Of course every good protocol becomes a control protocol
for others, but still this seems a little whacked even by that
standard :)
The only affect of the record is to reject mail that claims to be from
me. If I never send you legitimate email then it'll never be an issue.
If I send you legitimate email that's DKIM signed, then that includes
the revocation.
I'd presume there'd be some sort of TTL included, probably in the
2-13 month sort of timescale. So you'd just have to keep signing all
your outbound email with DKIM for a little longer than that TTL.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html