On Wed, Jun 11, 2014 at 8:09 AM, Hector Santos <hsan...@isdg.net> wrote:
> Preference should be given to the author domain explicitly authorized > resigners, how ever that black box functionality is achieved. Currently, > there are three DNS-based authorization proposals on the table. From > Murray's follow-up comments, the DKIM-delegate is basically an optimizer > to avoid doing a lookup. If this can address the basic protocol fault > failures the DNS lookup proposals addresses, the I would like see how that > is done. I plan to study the draft more. > One thing that is missing (and there's a placeholder for it) is examples so you can see how it works. I'll make sure that's there for -01. > The most basic protocol fault is when no signatures, no extra new headers > are available -- the legacy operation. Here the lookup is required. If > not, the bad guy loophole is simply to remain in legacy mode. They don't > need to think about trying to find a fake signature. > A lookup for what, and where? But you're right, there's a risk of a legacy DKIM verifier getting only the delegation signature for some reason. The exposure is supposedly time-limited, and we're assuming verifiers all pay attention to "x=", but it should also be documented. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc