SM wrote:
At 16:40 26-05-2007, Douglas Otis wrote:
Mitigation might need to be better defined:
A) the SMTP RCPT TO is within the signed portion of the message,
B) or when a _confirmed_ SMTP client is within the DKIM domain.
Both A and B would affect DKIM verification if the message goes through
a mailing list or a forwarder.
DKIM operates entirely on the content of the message (RFC 4686 Section
1.1). Your requirement goes against that. Maybe you could use
"revocation identifiers" as described in the Chosen Message Replay
scenario.
I don't think we should lose focus of the POLICY expectations of DKIM or
more specifically SSP.
Right now, even with the great knowledge DKIM is now an official RFC
standard, I still have no real incentive to implement it (turn it on),
making it a stock feature of our product and thus open a DKIM-BASE only
environment "Pandora's Box" of issues with my customers.
In my view, once SSP is itself a IETF standard, many things will come
together, including SMTP level considerations and in my view, from an
industry competitive cooperation standpoint, each will have their own
set of solutions that might include DKIM/SSP among other things. But I
think we will be losing focus to make the tie-in to SMTP without SSP
being finished.
My take on it.
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html