ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Final update to 4871bis for working group review

2011-07-08 08:54:02
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Charles 
Lindsey
Sent: Friday, July 08, 2011 3:59 AM
To: DKIM
Subject: Re: [ietf-dkim] Final update to 4871bis for working group review

My favourite counterexample, which I've used many times already, is
Mailman.  It doesn't even check DKIM signatures, but you can still fake
your way through its authorization process such that a different From:
is shown to the user for some MUAs.

Can you please give me a pointer to that?

The source code.  I also recall looking at Spamassassin and/or procmail, and 
majordomo, and finding the same thing.

If DKIM is not intended to give added credance to messages, then what on
earth is its purpose at all.

That question is answered numerous times in the draft, namely the Abstract and 
Sections 1, 1.2, 1.5, 2.5, 2.7, 3.9, 3.11, 6.3, and 8.15 (and other parts of 8).

Yes, it needs to be interpreted with care and
understanding, and our Security Considerations are the vehicle for
improving that understanding.

Indeed.

I suspect may assessors will use a scoring system (like Spamassassin),
where a signed message, even from a totally unknown domain, will add some
positive contribution.

The text in the current draft spells that out as a bad idea.  Moreover, I see 
on Apache's website that right now Spamassassin penalizes a message 0.001 for 
being signed, but removes that penalty if the signature verifies.

-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>