On Jan 30, 2006, at 1:07 PM, Frank Ellermann wrote:
Doug proposed to copy the SSP into the signature as shortcut for
any "check SSP only for valid signatures" strategy. If I
understood his proposal correctly. Apparently that has the same
effect as your point (3), and if possible (3) is better.
To the extent that this is somewhat relate to a threat...
Looking for a policy record occurs when the email-address domain is
not within the signing-domain. This may still mean the message may
have been signed.
As many of the policy lookups for email-addresses will not return a
record, this lack of a record will not persist very long in cache,
requiring repeated search sequences for each such message. Those
email-addresses without a policy record may also burden upper level
domain DNS servers as the search extends upward.
What will likely become a sizable overhead associated with accessing
a separate policy record could be eliminated with a strategy that
caches similar (binding and role) information obtained from within a
prior signature header and the DNS key. The same information could
be part of a white-listing strategy as well. White-listing and
marking the mail "good" also overcomes look-alike domain attacks. : )
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org