Part of the problem is that DKIM requires that email passes through
the signer's MTA to get the signature added. Per user certs chained
to the published cert would address this issue.
This would allow someone using gmail to send as @yahoo.com. Yes,
it requires all the PKI stuff like CRL's for compromised accounts.
You report spam that passes DKIM to @yahoo.com who then revoke the
cert. The CRL could be a DNS entry with a low negative TTL for
non-existing entries. Note these CERT's don't need to be tied to
account names. Yahoo would know who they were issued to but no one
else. Multiple users could in theory use the same CERT. Vetted
mailing list could use a CERT after re-writting Subject, attaching
footers etc. This CERT would be marked as "on behalf of" indicating
that it is not the actual user that is signing the message but a
proxy.
This still requires a mailing list to sign the outgoing email and
have a collection of CERTS to do this with. Mailing lists without
a CERT would reject incoming messages which would fail DKIM reporting
back to Yahoo why. This would be a trigger to get a mailing list
CERT. The yahoo user would need to sign off that they intended to
send to a mailing list before a CERT was issued. This step could
be automated, but would be a brake on process abuse.
The email would have contain the necessary linkage information in
the headers to get back to the Yahoo's public key.
This isn't a perfect system but it would allow Yahoo to control who
gets to send email as user(_at_)yahoo(_dot_)com.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org