Stephen Farrell wrote:
> "Policies can be open or closed. Open policies define a set of
> conformant messages and are silent about other messages. Closed
> policies define the set of conformant messages and other messages
> do not conform to the policy.
> If a domain owner publishes an open policy, and if some "bad"
> unsigned messages apparently emanate from that domain then the
> domain owner's reputation may suffer.
> Closed policies can disrupt practices such as posting to list
> servers, use of e-invites, and other similar services.
> If unsigned mail from domains with open policies is treated
> any better on the basis that the policy exists, then bad actors
> will search for open policies in order to select the value for a
> falsified From header.
> Searching for a policy statement may have a significant cost and
> bad actors can select messages so as to maximise this cost in
> an attempt at DoS.
> Policy statements inherently expose information about the domain
> to which the policy is intended to apply. Bad actors can use
> this information to select values for inclusion in messages."
> I think (not that confidently mind you) that those statements
> are correct, and if so, could imagine a wordsmithed version
> ending up in the threats draft. Be interested in what others
> think.
Jim could copy it as is to his draft, I like it, no further
wordsmithing needed.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org
