-----Original Message-----
From: Alessandro Vesely [mailto:vesely(_at_)tana(_dot_)it]
Sent: Thursday, March 25, 2010 12:16 PM
To: Murray S. Kucherawy
Cc: mail-vet-discuss(_at_)mipassoc(_dot_)org
Subject: Re: [mail-vet-discuss] Proposed "header.b" tag for DKIM
signatures
How do I get a local policy? I guess this question is may sound silly,
but it seems that failures originate from header mangling much more
frequently than real forgeries. DKIM may need some false-alarm
reduction system to increase its reliability. In this case, it may
also be considered a disservice to force users to fully understand the
matter in order to devise adequate policies.
I don't think un-savvy end users are the places where evaluation schemes are
defined or configured. I would suspect the place a local policy is set would
be within the purview of a local system administrator who does have some idea
about local policy definition or enforcement.
Put it another way, what is A-R going to provide w.r.t. DKIM?
* Save consumer's cpu time/DNS lookups for signature verification, or
Yes.
* provide a synthesis of a message's trustworthiness, according to the
best knowledge of the filtering agent.
Yes.
Truly sophisticated servers can still provide a policy-definition
wizard that allows users to tailor the service according to their
specific needs.
Certainly, but that's one of many possible architectures. Also, the idea here
is that the border is where DKIM evaluaton is done, while the policy
enforcement could be somewhere more internal (maybe corporate vs. department,
cloud vs. local, etc.). It's a lot cheaper to parse an A-R header and some
DKIM signatures than it is to parse and process (including the crypto and DNS)
a batch of DKIM signatures that was already evaluated at some trustworthy
upstream location.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html