ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM/ADSP edge case writeup at CircleID

2009-03-26 11:23:28
MH Michael Hammer (5304) wrote:

Hector,

This is exactly why I said in the article:

"Some might assert that an organization should never DKIM sign a
non-existent message-id header. At this time it is not clear, at least
to me, that this is absolutely true. The implications of signing versus
not signing under these circumstances certainly merit a healthy
discussion before a verdict is reached." 

I've seen little if any (systematic) discussion of the various cases
(for all headers) and how unsigned non-existent (at time of injection to
the mail stream or signing) might be abused at a later point. Most of
the discussion is about how things SHOULD function, not how they might
be abused.

I agree.   As I call it "protocol consistency". Simply put, we don't 
have it here.

<SOAP>

I think there were many discussions in the past when SSP was still 
part of the picture.  SSP is what sold DKIM to me and others. The 
strong early emphasis and marketing presentation points wrt to SSP was 
the deciding difference over DKEYS.

ADSP watered it down and since we no longer have a true champion of 
policy based DKIM implementations speaking on our behalf, our voices 
and concerns are ignored and stamped out.

I will say, if ADSP is not part of the picture, I will not bother with 
DKIM. Maybe, if someone came with a DNS DKIM ZONE, that had only a 
listing of domains with ALWAYS SIGN, but with nothing like this, pure 
DKIM processing will be a waste of time.

I should of never gave up on DSAP (DKIM Signature Authorization 
Protocol) and kept on it. I only did so after being told SSP would be 
more considerate of the concerns outlined in DSAP.   If I knew SSP was 
going to be taken over by ADSP especially by someone who never 
believed in POLICY to begin with, which made the whole process, well, 
stink, no doubt I would had never given up on DSAP.

Oh well, as long as DKIM-BASE remains open and not locked down to 
specific accessors and reputation trust services, then at least there 
is still hope for new I-D and inventions to happen.  Maybe then I will 
introduce DSAP again.

While there might be some folks here that despise SPF, and even among 
those who support it and know its not 100% perfect, it did prove one 
thing:

     The industry desire to accept the idea of a DOMAIN EMAIL
     POLICY Discovery process solidified by the millions of domains
     and receivers that support SPF.

There is no doubt about that.

</SOAP>

-- 
Sincerely

Hector Santos
http://www.santronics.com


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html