----- Original Message ----- From: "Douglas Otis" <[EMAIL PROTECTED]> To: "Jim Fenton" <[EMAIL PROTECTED]>
> The "invalid" flag is not needed, but Hector will want to be able to > list who signs even when the 2822.From is not validated. Ok, I really don't care how you guys do it. The bottom line is that DKIM-BASE is unprotected and fails to answer the following questions: o Does the domain ever distribute mail? o Do you expect the mail to be unsigned? o Do you expect to sign all mail? o Is your domain the exclusive signer? o Are 3rd party signers or signatures allowed? o Are 3rd party signers allowed to strip your original signatures? I don't take away anyone else experiences, but I got 30 years of designing multi-million dollars commercial products for corporations and for my own business, with an sound expertise in software engineering, process control, automation, simulation, fault analysis and foremost problem solving. Never mind all the mail design experience I have as well. It doesn't take me very long to see what the problems are going to be with a proposal such as DKIM-BASE, where the exploitations will be, and while I keep in mind a conservative considerations, what "feasible" solutions make work. I think the above are very feasible "doable" design questions. Solve the above questions with whatever protocol methods you like and I believe very strongly DKIM will be very successful. If there are things I don't see, I accept that. I would like to know what they are thought. But from I've seen in the last 2 years or so, in my anti-spam project research sabbatical? For DKIM-BASE, it needs an SSP protection layer with the above minimum questions resolved. I can not in good-faith see DKIM-BASE be "safe" when released into the wild without some signature authorization protection. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
