[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
not exist?
John Levine
johnl at iecc.com
Tue Aug 9 21:04:31 PDT 2005
>IMHO, if no SSP records is defined for the OA, then messages from
>the OA must be considered to never be signed, and any signed message
>should be considered suspicious.
I see why you might want to mandate that any domain that publishes
dkim keys also must publish SSP records, but it doesn't feel to me
like the rest of the group is ready to do that.
R's,
John
More information about the ietf-dkim
mailing list