On Aug 3, 2005, at 1:40 AM, Tony Finch wrote:
On Mon, 1 Aug 2005, Douglas Otis wrote:
[...] message signatures offer _no_ authenticated identifier prior to
resources being committed. [...] acting upon a bad signature's
history
by refusing service against the domain name comes too late to
preserve
resources.
This is off-topic because it's about optimizing rejections and
reputation
lookups, rather than the basic authentication mechanism.
What's the problem with doing the reputation lookup before
verifying the
signature? If the rep is bad enough to reject the message then it
doesn't
matter whether the sig is good or bad. The sig (and therefore the rep
lokup key) occurs early enough in the data that no disk resources
need to
be committed, and the RAM required is pretty small.
The concept of resource includes the network, in addition to system
resources. Whether this would be for a school sharing a T1 line, or
some other enterprise with limited network resources, these resources
can be consumed by today's level of email abuse. Without feeding
forward name protections prior to the exchange of the message, DoS
protections would need to rely upon the IP address, which diminishes
the incremental benefits from DKIM providing a valid name. DoS
created by bogus signatures could not depend upon checking signatures
as well. Of course, the abuse reductions for the inbox is a separate
matter.
-Doug