Re: DKIM Signatures now being applied to IETF Email

Sun, 31 Jul 2011 03:12:32 -0700

You continue to not comprehend (or rather ignore) what continues to plaque DKIM - the lack of fault detection. Its why it continues to have a hard time and have people who actually believe in this promising protocol "bitch" about it. If these "big email" providers (or anyone for that matter) begin to make assertions about what is good about their mail then they better be ready for the violations of such assertions to be rejected. You can't have it just one way and mandate this is the only way to process this overhead - looking for good mail only and ignoring all the violations and illogically treating it like it was never signed or compromised or attempted to be compromised.
The overall difficulty is that originality is lost - the original author or dkim signer has lost or lacks any protocol guidance to tell resigners that the mail they are about the process might be bad - according to the original author domain. 


If the resigner is going to intentionally and neglectfully ignore all 
original claims about the original domain signing practice, then how 
do you expect the anonymous "copy-cat" abuse to be controlled?



Murray S. Kucherawy wrote:

-----Original Message-----
From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of t.petch
Sent: Saturday, July 30, 2011 3:26 AM
To: Barry Leiba
Cc: ietf
Subject: Re: DKIM Signatures now being applied to IETF Email

Sadly, I do not see it being used in the mailing lists where an
organisation is sending me directly data I would like to be able to rely on
- which I think fits the applicability well - and instead, I see it
being used on a mailing list such as those in the IETF where I
believe that the costs outweigh the benefits - and I have no choice
about that:-(.


There has been some post-DKIM talk recently about the idea of "transient trust", wherein 
(to use this example) ietf.org would verify the signature on an arriving list submission, attach an 
RFC5451 header field that indicates the results of that verification, then send the message out to 
the list with that added field and a new ietf.org signature that "covered" it.  Then, if 
you decide to believe ietf.org's claims about the original signature, you know more than you would 
otherwise.

This hasn't been widely deployed yet, but some big email providers are 
currently playing with the idea.

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf




--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com




_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf



























					Reply via email to