On Sep 6, 2006, at 5:39 PM, Wietse Venema wrote:
Why? The signature must be valid and the email-address must be
assured to be valid. How is the email-address susceptible?
I can answer that. Exploitation of the mapping from recipient
address to DNS record name, by the application of brute force.
If policy attempts to list all valid email-addresses, then it would
be possible to use these records to discover valid email-addresses as
you suggest.
This is not how the mechanism is envisioned to be used however. As
opposed to John's suggestion, this mechanism would automate
annotations for "select" email-addresses within a domain. These
email-addresses are likely already widely known, and are useful only
in conjunction with a trusted domain. These "select" email-addresses
offer a means to differentiate messages the trusted domain wishes to
automatically convey as trustworthy.
An annotation scheme can limit annotations to those email-addresses
found in an address-book and also marked by way of signature syntax
or policy to be valid. When a domain is well-known or found within
an address-book, annotations can be automatically extended to also
include a "select" few addresses. Most likely these would represent
various email-addresses using in transactional messages and bulk
mailings.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
