A couple of small points: Jon Callas wrote: > If you create a suitably-sized RSA key, throw away the private key, > and put the public key in a DKIM selector, you have made a selector > that can't have mail signed from it (or if you want to be really > anal, forging a signature for that selector is equivalent to breaking > that key). > > If you then say, "I sign all mail" for any domain pointing to that > selector, you've effectively made a cryptographically enforced no- > mail, no-use, etc. domain using the existing Tinkertoys.
The selector name would be in the signature (which probably isn't there), not in the policy. But the same thing can be accomplished by simply not publishing any key records, which has the advantage also that it can avoid the computation required to verify a bogus signature. > > In short -- saying "I sign everything" with a non-existent or bogus > key is the same thing as saying, "You'll never see a valid one of > these." But I agree with this statement, which I think is your main point. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
