On Sep 11, 2006, at 5:50 PM, Hector Santos wrote:
On Sep 11, 2006, at 5:05 PM, Hector Santos wrote:
There are so many issues with this DKIM-BASE + LOCAL POLICY
UNKNOWN that I find it hard to see how it justifies the risk of
signing.
What issues and risks do you refer to with respect to signing?
DKIM results are not visible to the recipient without either
annotation or 100% blocking of unsigned email-addresses.
When the operation of DKIM does not expect all messages containing a
specific email-address to be blocked, one should assume annotation is
how a recipient is aware of valid DKIM signatures.
- Inconsistent results.
Either the signature is valid or it is not. This does not depend
upon policy.
The message can be annotated as having the following:
- A valid signature with a matching email-address domain.
- A valid signature with an associated email-address domain.
- An assured email-address comparing with a retained email-address.
These annotations do not depend upon policy for consistent results.
When policy does not assure an email-address is initially signed with
only compliant services subsequently used, only annotations offer
recipients any consistent information. Invalid signatures with such
an email-address are consistently _not_ blocked. Of course blocking
breaks existing uses of email, and does not offer much in the way of
anti-spoofing protection anyway.
Can you be a bit more specific about what do you mean by inconsistent
results?
- Fake it to you make it.
An assured email-address comparing with a retained email-address can
provide comprehensive protections from spoofing. Again, this
protection does not depend upon email-address policy.
- 3rd party signatures
When a signature can be associated with the email-address, this email-
address can be annotated. Here policy can offer requisite email-
address associations. If not, then no annotations and no resulting
issues either.
- Bad Actors remain in legacy operations HOPING for unknowns.
They never receive the requisite annotations!
- Good Actors remain in legacy operations FEARING the unknowns.
What is there to fear?
- Receivers requiring to support multiple "batteries."
The MUA already has an address-book. No batteries required.
What is your concern? Blocking messages that happen to have invalid
signatures breaks email. As this blocking can only hope to provide
minor protections, why not adopt a system that provides substantially
better protections from spoofing and retains email delivery
integrity? Policy is needed for associations to increase DKIM's
coverage.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
