ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats

2009-04-03 09:19:03
from [Hector Santos] [Permanent Link] 
Again, call it what you want, UAID, SDID, Author Domain Signature vs
Gmail domain signatues or mipassoc.org domain signatures, etc, when 
you have this:

   DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;
                   d=mipassoc.org; s=k00001; ....
   From: "J.D. Falk" <jdfalk-lists(_at_)cybernothing(_dot_)org>

or this:

   DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;
                   d=mipassoc.org; s=k00001;....
   From: HLS <sant9442(_at_)gmail(_dot_)com>

which by the way

   DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;
                   d=gmail.com; ....
   From: HLS <sant9442(_at_)gmail(_dot_)com>

Before mipassoc.org got its hands on it, is all about 3rd party "mail 
DKIM interference" with 1st party or other 3rd party signatures.

If you don't control this, then we will undoubtedly begin to see:

   DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;
                   d=some_phisher.com; ....
   From: Poor User <Poor(_dot_)User(_at_)cox(_dot_)net>

If COX.NET has not plans to deal with this, either with ADSP or 
something else, that pity the Poor User at cox.net.  Sure, the fancy 
reputation system will eventually score up points on some_phisher.com 
or someone will report it early on, but it might be too late for Poor 
User at cox.net.

If you ask me, if here is monetary harm for Poor User and he hires joe 
the lawyer, this is a valid case of engineering neglect and 
malpractice - experts in the field knew the problem existed and 
allowed was still allowed to perpetuate. Cox.net might had to deal 
with this.  But don't take none of this from me. Present it like I 
said to your chief council and see what he says.

-- 
Sincerely

Hector Santos
http://www.santronics.com




Hector Santos wrote:

Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:

3rd party signing was removed from discussion some time ago


Only by name, just like Dave stated here:

  "All that is left is the more general question of deciding how to
  distinguish among outgoing mail streams with different SDID values."

Call it want what you please, the issues of 1st party vs 3rd party is 
still in play. What do you think this i= thing was all about?






_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats, Hector Santos
Next by Date:  Re: [ietf-dkim] Consensus point on ADSP, Charles Lindsey
Previous by Thread:  Re: [ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats, Hector Santos
Next by Thread:  Re: [ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]