--On 14 October 2010 10:23:21 -0700 Michael Thomas <mike(_at_)mtcc(_dot_)com>
wrote:
On 10/14/2010 10:15 AM, John R. Levine wrote:
If you really think this is such a great big problem, maybe you should
be banging the drums at MAAWG or other venues where the correct set of
ears is potentially listening.
I would rather not have to run a session at MAAWG entitled "How to fix
the security holes in DKIM", but I certainly could.
Am I really the only person who wants to be able to whitelist mail signed
with known good signatures, drop it into user inboxes and expect
reasonable results with existing MUAs?
I would hope so because this would be a really stupid thing to do.
Without the next line of defense -- virus, malware, spam, phishing --
you'd be setting your users up for big problems. Just because it's
DKIM signed from a good source doesn't mean it's not still evil.
I think the emphasis in John's email was on "expect reasonable results with
existing MUAs" If DKIM is any part of the evaluation process, then that's
all thrown away if MUAs are showing the wrong email address as
authenticated.
That's why all of this hand wringing is silly.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html