How can you see lower cost for hotmail.com, aol.com and yahoo.com and such domains to begin to weaken their signed mail streams with v2 signature resigner authorization signatures? That pesky registration problem again. What if the resigner domain decides to change its resigner domain? How that's the feedback get back to the originating domain?
I believe the dual sig idea is good to be part of a more comprehensive solution, not total and nor exclusive, but more. It is less secure not matter how we look at it, so it is prudent, the more secured, more baseline, DNS query solution be also part of the IE* recommendations. This is especially the case when proposed as a Standard Track protocol. Let's remember there are two parts of this; verification by two receivers we are mostly concern about, and the original signer and its exposed public policy intentions and expectations. We got working code and a practical solution for those with DNS management. I have ATPS running code both the rev4 and RFC version in a wide network of operators. I have enterprise beta testers what also use openDKIM/openDMARC in an integrated SMTP environment where our package serves as an AVS frontend relay for them. So we can do ATPS testing and I plan to recommend and illustrate source code change to support ATPSRev4. It's about support options. Adding two signatures will take signer engine code change. Once I see p=reject domains add support for v2, I will explore changing code again to support for V2 signatures too. Or at least, explore adding verification code since that is already in a change flux. -- Hector Santos http://www.santronics.com > On May 18, 2015, at 12:26 AM, Murray S. Kucherawy <superu...@gmail.com> wrote: > >> On Fri, May 15, 2015 at 1:28 PM, Dave Crocker <d...@dcrocker.net> wrote: >> Performing DKIM/SPF validation upon receipt > > There already exist several implementations of each of these, so I would say > that they are currently deployed rather widely, making our cost near-zero. > Plus, any DMARC operator already has at least one of them going. > >> DKIM-signing all outbound mail. > > Let's say that's close to zero cost as well. > > One thing absent from your list is conditional signatures, which is John's > idea, and is a special case of both of these. I've implemented it now in > libopendkim as a compile-time experimental feature, and it took me about four > hours including testing. I just have to add it to the plugin that uses the > library, and it'll be available for others to play with. > > -MSK > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
