From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
BTW, I also liked your SSP tables. Three days later, I read
the complete (long) thread with Scott and Doug, plus what
Keith said. Finally I'm beginning to see the light.
DKIM allows arbitrary parties to sign whatever they like.
Any "DKIM PASS" has the decent charme of an "SPF PASS", it
means absolutely nothing, unless you know the signing party.
And whether he is allowed to sign, etc.
And what DKIM signs can be completely bogus, the signer only
promises "that's how I got it, whatever it might be". It
can be spam, it (headers selected by h=...) can be forged.
Right
Otherwise DKIM, as I proved, is waste of time and in fact
can cause MORE HARM
I don't see any "more harm", but "waste of time" is possible.
You answered it yourself above. Just like Relaxed provisions in SPF can create
spoofers, Relaxed provision in DKIM will no doubt create a market of DKIM
spoofers to give the MUA the "false illusions" that it is OK because it was
signed.
If there is a way, it will be done.
For naive users thinking that "PASS" has any value of its own
it could be harmful, a DKIM PASS isn't better than a SPF PASS.
Actually it is, if it ties back to the OA EXCLUSIVE SIGNING policy.
All that means if you know for SURE that it came from that DOMAIN.
That has nothign to do whether the actual mail content is good or bad.
DKIM Exclusive SIGNING policy has a high potential of reducing PHISHING and
SPOOFED domains. But it will only work if the SIGNER and the VERIFIER makes
sure the SIGNING Policy is consistent and I see that working very well.
Its the 3rd party issue where its murky and I see it working too, but again,
SIGNERS and VERIFIERS must check every step.
It has become faily obvious what is really going on there is
to get DKIM accepted as an isolated weak signal protocol so
that CSV, DNA can be the next "incremental" steps.
A DKIM PASS from a known trustworthy party has some meaning.
Without "reputation" / trust it's pretty useless, spammers
can create a DKIM PASS almost as easy as a SPF PASS.
True, but that applies to anything. No one is above the "law." You can use
the worlds greates invention, but if I ask my FRIEND about you, what if he
says, you are bad person? I don't need DKIM for that.
But what I am saying is that DKIM doesn't make any technical sense unless the
SIGNER and VERIFIER checks to make sure it is allowed in the first place. That
has nothing to do with reputation, but it has alot to do with high potential
fraud by not checking.
Actually a SPF PASS has one feature that a DKIM PASS doesn't
have: You can simply challenge an unknown SPF PASS. Whatever
the effect might be, it won't hit an innocent bystander. So
SPF PASS has value without complex "reputation" solutions, a
white list is good enough.
In a why, what I am saying is a "challenge." You sign the message. It looks
ok, it passes the signing test. But are you allowed to signed it? The
challenge will be to ask your domain for your signing policy.
If you said, "yeah, I signed it and I am allowed to signed and only I can sign
it", then the mail goes to the next step whatever that it. But as far as DKIM
is concern, it passs its PROTOCOL INTEGRITY check.
But if you see a 3rd party signer, then you reject it.
For an unknown DKIM PASS all you have is a domain (or i=) for
abuse reports that won't hit innocent bystanders. That's in
fact not very impressive. If you couple it with "Senderbase"
like Ironport it's probably more interesting. Ordinary users
will hate DKIM, tons of worthless obscure header fields. Bye
Well, SPF can stop abusers if you have a EXCLUSIVE policy (not neutral or
softfail). But you can run into FORWARDING issues.
DKIM exclusive policies can solve the same problem without the FORWARDING
issue. Even with 3rd party signing it solves the problem but again, the signer
and verifier must double check the policies. If the checking is not there,
then anything can happen. It is weak. You can check it for incoming and
provide a service, but you are less confident in SIGNING yourself because you
don't know how the receivers are going to CHECK or NOT. If they don't check,
then your DKIM DOMAIN can be abused.
It is all pretty simple :-)
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com