On 10/5/10 8:45 AM, Dave CROCKER wrote:
At a deeper level, there is a continuing problem with casting DKIM as a
mechanism to "protect" a message. That's something that OpenPGP and S/Mime
do;
it's not something DKIM does. DKIM merely tries to do enough to ensure that
the
d= is valid, to provide a basis for reputation assessment.
Deeper still, DKIM prevents false positive phishing detection. But
since a bad actor can poison reputation whenever verification of a DKIM
domain is associated with undesired delivery, such use suggests DKIM as
a basis for reputation will not work.
It would be accurate to say DKIM provides a basis for white-listing
based upon information derived by other means, and offers a strong basis
to apply acceptance policy based upon associations with the From header
field. However, this policy also needs to consider legitimate
third-party services to discourage the bad practice of using sub or
cousin domains with MX records or MTAs lacking restrictive
authentication policies, since this would make the phishing problem even
more intractable.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html