[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
not exist?
John Levine
johnl at iecc.com
Fri Aug 19 09:14:06 PDT 2005
>A third-party signature is a lot weaker assertion than an OA signature,
>unless you know something about the third party.
Seems to me that no signature is useful unless you know something about
the signing party.
Let's say you get a message from fred at slimy.biz, with valid signatures
from slimy.biz. Now what? Unless you have some knowledge about slimy.biz
(or perhaps some well founded suspicions about .biz in general which
would apply equally to third party signatures), you don't have much to
go on beyond knowing that the return address isn't forged.
DKIM will be useful in the short run because we all have quite a lot of
knowledge about domains with which we exchange a lot of mail, and that
lets us get their mail out of the filtering path.
R's,
John
More information about the ietf-dkim
mailing list