A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : DKIM is Harmful as Specified
Author(s) : Douglas Otis
Dave Rand
Filename : draft-otis-dkim-harmful-03.txt
Pages : 20
Date : 2013-06-17
Abstract:
Currently, email lacks conventions ensuring SMTP clients can be
identified by an authenticated domain. Unfortunately many hope to
use DKIM as an alternative, but it is independent of intended
recipients and domains accountable for having sent the message. This
means DKIM is poorly suited at establishing abuse assessments of
unsolicited commercial email otherwise known as SPAM, nor was this
initially DKIM's intent. DKIM lacks message context essential to
ensure fair assessment and to ensure this assessment is not poisoned
(Who initiated the transaction and to whom).
DKIM was instead intended to establish increased levels of trust
based upon valid DKIM signatures controlling acceptance and what a
user sees within the FROM header field. But DKIM failed to guard
against pre-pended header fields where any acceptance based on valid
DKIM signatures is sure to exclude header field spoofing, especially
that of the FROM. This weakness allows malefactors to exploit DKIM
signature acceptance established by high-volume DKIM domains to spoof
ANY other domain, even when prohibited within the Signer's network.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-otis-dkim-harmful
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-otis-dkim-harmful-03
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-otis-dkim-harmful-03
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I-D-Announce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
