On Jun 4, 2013, at 7:16 PM, Sam Hartman <hartmans-ietf(_at_)mit(_dot_)edu>
wrote:
So, I'd like to encourage Doug to refine his work, fix errors of
precision, but to say I think this is worth writing down.
Dear Sam,
Thank you for your interest. I have updated the draft and, and as requested by
Dave Crocker, included references to prior statements by Dave Crocker and Barry
Leiba made public subsequent to the conclusion of the WG DKIM specification in
response to comments about the phishing threat DKIM permits. In reviewing some
of Dave Crocker's responses, it appears differences between "validated the
SDID" and "authenticated the SDID" could use some clarification since this is
awkwardly described in RFC6376 section 6.3.
Quoting the abstract of RFC5863 co-authored by Dave Crocker, "DKIM's
authentication of email identity can assist in the global control of "spam" and
"phishing". This document provides implementation, deployment, operational,
and migration considerations for DKIM."
Section 5.4 "Inbound Mail Filtering" of RFC5863 states:
,---
DKIM is frequently employed in a mail filtering strategy to avoid
performing content analysis on email originating from trusted
sources. Messages that carry a valid DKIM signature from a trusted
source can be whitelisted, avoiding the need to perform computation
and hence energy-intensive content analysis to determine the
disposition of the message.
'---
This is exactly how DKIM is being used and why DKIM is harmful!
Additional information is being acquired, but will not alter conclusions
reached.
http://tools.ietf.org/html/draft-otis-dkim-harmful-03
Regards,
Douglas Otis