Re: [ietf-dkim] A comprehensive DKIM verification specification will not violate protocol layers.
On Mon, 22 Nov 2010 22:32:41 -, Douglas Otis do...@mail-abuse.org wrote: Murray argued singleton header checks to qualify DKIM signatures violates protocol layering. Which is why I want to fix this problem with normative wording that does not violate protocol layering. Quite simple: Signers MUST/SHOULD not sign messages with multiple 0nce-only headers (detailed wording to be discussed). Verifiers MUST/SHOULD check that signing requirement has been met (i.e. that no multiple once-only headers, or whatever the detailed wording says, are present). No protocol layering violation, because the verifier is just checking something laid down for signers in the same protocol. RFC 5322 hardly gets mentioned, except presumably when defining Once-only or in eplanatory NOTEs, secutiy considerations, etc. All the scams under discussion still get caught. -- Charles H. Lindsey -At Home, doing my own thing Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: ...@clerew.man.ac.uk snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
--On 22 November 2010 09:25:26 -0800 Steve Atkins st...@wordtothewise.com wrote: ADSP is better than SPF, but it's still not something anyone should consider deploying widely as a primary means of deciding to discard inbound email. Actually, they're complementary. In places where DKIM fails (mailing lists rewriting messages), SPF can succeed. And in places where SPF fails (message forwarding), DKIM can succeed. Messages can have a reasonable level of trust if they achieve either an SPF pass for a trusted domain, OR an DKIM verification for a trusted signer. Of course, you still need to check for malware and be wary of messages from compromised accounts. Deployment of SPF and DKIM are both low enough that you can't either reject or discard messages simply because they don't pass or verify. But, we already give a small negative spam score for SPF softfail and neutral results, and haven't had any complaints. For DKIM it's harder, but for certain author domains (including those that publish ADSP discardable, it might be worth considering downgrading messages - especially when combined with SPF fail/neutral/softfail). -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
John R. Levine jo...@iecc.com wrote: We really need a FAQ for this group. Simply publishing an ADSP record does not change this fact. ADSP can perhaps be used productively for specific signers and verifiers, but it does not work for all legitimate scenarios. What does work for all legitimate scenarios? Short answer: nothing. Right. It also doesn't wax my car, which is equally relevant. ADSP certainly isn't ideal, but (unlike the rest of your message) saying something does not work for all legitimate scenarios is not a useful contribution to the discussion. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
--On 23 November 2010 02:06:17 +0900 Tsuneki Ohnishi ts...@infomania.co.jp wrote: 5068 Well, it's just a newbie's idea, so may be totally unacceptable. But please understand that we're heavily committed. Gotta find a way through. My view is that this is a long term game. You can help by encouraging uptake of DKIM, and deploying domain based reputation engines. If your major public ISPs, corporate, and government sites make use of these things, then deliverability will be improved for legitimate mailers who deploy DKIM. You also need to encourage deployment of RFC5068, in order that sent emails are more likely to be properly routed through the relevant DKIM signing engines. http://www.apps.ietf.org/rfc/rfc5068.html I'd also suggest deploying SPF as a complimentary technology. Most email paths preserve either DKIM or SPF, even when one or other is not preserved. They both permit the use of domain based reputation engines, although the domains protected will not always be the same. Finally, promote the use of MTAs that can verify DKIM during the SMTP session. This way, messages can be rejected rather than discarded, if there's a problem. Rejection of messages at SMTP time permits the sender to be aware of problems with false positives. -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM Japan has been set up
Actually, they're complementary. In places where DKIM fails (mailing lists rewriting messages), SPF can succeed. Haven't we been over this a hundred times already? It's ADSP, not DKIM, that fails on mailing list mail. DKIM works just dandy, when lists sign their mail like this one does. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html