What is the current recommended method to establish or expose that a
DOMAIN should not be signed, is not expected to be signed and that any
DKIM supportive receiver seeing a message with a signature from a
purported domain should be rejected with full confidence?
Will a NULL public key do the t
On the lines of "v=spf1 -all" or example.com. IN MX 0 . (mark
delany's old mxzerodot proposal)?
Yes a null signature could probably do it but something more explicit
perhaps to signal that this is not simply breakage?
On Thu, Feb 19, 2009 at 11:20 AM, Hector Santos wrote:
> What is the curren
On Feb 19, 2009, at 11:20 AM, Hector Santos wrote:
> What is the current recommended method to establish or expose that a
> DOMAIN should not be signed, is not expected to be signed and that
> any DKIM supportive receiver seeing a message with a signature from
> a purported domain should be
On Thu, 19 Feb 2009, Hector Santos wrote:
> What is the current recommended method to establish or expose that a
> DOMAIN should not be signed, is not expected to be signed and that any
> DKIM supportive receiver seeing a message with a signature from a
> purported domain should be rejected with
>What is the current recommended method to establish or expose that a
>DOMAIN should not be signed, is not expected to be signed and that any
>DKIM supportive receiver seeing a message with a signature from a
>purported domain should be rejected with full confidence?
That's easy: don't publish
John Levine wrote:
>> What is the current recommended method to establish or expose that a
>> DOMAIN should not be signed, is not expected to be signed and that any
>> DKIM supportive receiver seeing a message with a signature from a
>> purported domain should be rejected with full confidence?
>
>> By design, a broken signature is equivalent to no signature.
>
> Yeah, that RFC 4871 anomaly "Failure Promotion to no signature" always
> did baffled me.
If either one were "better", attackers would just shift to the better
one. It's simple enough to use no signature at all, if no signature
is
On Feb 19, 2009, at 2:27 PM, John Levine wrote:
>> What is the current recommended method to establish or expose that
>> a DOMAIN should not be signed, is not expected to be signed and
>> that any DKIM supportive receiver seeing a message with a signature
>> from a purported domain should b
On Fri, 20 Feb 2009, Franck Martin wrote:
> Should we not query every time the DNS, to check that this domain will
> sign every message as policy and that a non signed message is therefore
> invalid?
You would then only query for a non-signed message, not every message.
> In the case of the eba
o-Detected
Subject: Re: [ietf-dkim] NO DKIM "POLICY"
On Thu, 19 Feb 2009, Hector Santos wrote:
> What is the current recommended method to establish or expose that a
> DOMAIN should not be signed, is not expected to be signed and that any
> DKIM supportive receiver seeing a me
Barry Leiba wrote:
>>> Levine wrote:
>>>
>>> By design, a broken signature is equivalent to no signature.
>
>> Yeah, that RFC 4871 anomaly "Failure Promotion to no signature" always
>> did baffled me.
>
> If either one were "better", attackers would just shift to the better
> one. It's simple
Murray S. Kucherawy wrote:
> On Fri, 20 Feb 2009, Franck Martin wrote:
>> Should we not query every time the DNS, to check that this domain will
>> sign every message as policy and that a non signed message is
>> therefore invalid?
>
> You would then only query for a non-signed message, not ever
Douglas Otis wrote:
> On Feb 19, 2009, at 2:27 PM, John Levine wrote:
>
>>> What is the current recommended method to establish or expose that
>>> a DOMAIN should not be signed, is not expected to be signed and
>>> that any DKIM supportive receiver seeing a message with a signature
>>> from
On Feb 20, 2009, at 11:43 AM, Hector Santos wrote:
> Douglas Otis wrote:
>> On Feb 19, 2009, at 2:27 PM, John Levine wrote:
What is the current recommended method to establish or expose
that a DOMAIN should not be signed, is not expected to be signed
and that any DKIM support
but it can come from @example.com signed by @test.com
- Original Message -
From: "Douglas Otis"
To: "Hector Santos"
Cc: ietf-dkim@mipassoc.org
Sent: Saturday, 21 February, 2009 8:10:00 AM (GMT+1200) Auto-Detected
Subject: Re: [ietf-dkim] NO DKIM "POLICY&q
On Feb 20, 2009, at 1:58 PM, Franck Martin wrote:
but it can come from @example.com signed by @test.com
This could be described a third-party signature, where test.com should
not be considered authoritative for example.com, just as
ads.example.com should not be. While test.com may allow
Any way to tell someone its signature is used in third party signing?
- Original Message -
From: "Douglas Otis"
To: "Franck Martin"
Cc: ietf-dkim@mipassoc.org, "Hector Santos"
Sent: Saturday, 21 February, 2009 10:20:39 AM (GMT+1200) Auto-Detected
Su
Franck Martin wrote:
> Any way to tell someone its signature is used in third party signing?
AFAIK, not in a standard fashion
As Doug pointed out, you can detect that it appears to be 3rd party,
but the long debated issue has been how to determine if the
3rd party was "authorized" to sign for t
Douglas Otis" , ietf-dkim@mipassoc.org
Sent: Saturday, 21 February, 2009 11:59:28 AM (GMT+1200) Auto-Detected
Subject: Re: [ietf-dkim] NO DKIM "POLICY"
Franck Martin wrote:
> Any way to tell someone its signature is used in third party signing?
AFAIK, not in a standard fashion
Franck Martin wrote:
> I see a problem with I allow 3rd party signers. In the case of
> a mailing list or forwarder or remailer, it may sign without the
> knowledge of the original sender which is acceptable.
I just noticed this mailing list is signing as a 3d party:
From: Hector Santos
>Any way to tell someone its signature is used in third party signing?
No. See the list archives where this issue was beaten to death
several times.
Remember that invalid signatures are ignored, and signers are already
aware of all the valid signatures they've applied.
R's,
John
__
John Levine wrote:
>> Any way to tell someone its signature is used in third party signing?
>
> Remember that invalid signatures are ignored, and signers are already
> aware of all the valid signatures they've applied.
Well, according what I seen by the GMAIL verifier, it is discarding
mail wit
On Sat, Feb 21, 2009 at 10:45:34AM +1200, Franck Martin wrote:
> Any way to tell someone its signature is used in third party signing?
I've been working on something to do just that. Or at least a way to
say such signatures are allowed. My understanding of a "third party"
signature is an authent
23 matches
Mail list logo
