[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
not exist?
Earl Hood
earl at earlhood.com
Thu Aug 18 20:41:38 PDT 2005
On August 18, 2005 at 17:01, Douglas Otis wrote:
> DKIM provides significant value beyond implementing a weak and
> uncertain anti-spoofing mechanism. MUAs are not designed to ensure
> the identity of the author or sender. As a result, MUAs often fail
> to show headers intended to indicate this information. In addition,
> MUAs also often fail to show underlying email addresses in favor of
> "pretty names." This makes for a poor foundation upon which to build
> any anti-spoofing mechanism without major renovations.
...
Since it appears there are different views on what DKIM should,
or should not be, I want to make sure I understand your view, without
the clutter of debating specifcs.
Is your view in a nutshell (of what DKIM should be): When a domain
signs a message, it is saying, "Here is what I got and transmitted."
DKIM only provides a verifiable trace of a message.
And/or, DKIM should provide verifiability of a message's originating
domain: the initial domain that receives a sender's message for
transmission. When the initial domain signs a message, it is saying,
"Here is what the domain-authorized sender submitted to me for
transmission."
--ewh
More information about the ietf-dkim
mailing list