[ietf-dkim] DKIM SSP: Security vulnerability when SSP
record does not exist?
sm at resistor.net
Fri Aug 19 16:51:04 PDT 2005
At 12:19 18-08-2005, Earl Hood wrote:
>As for the receiver making the final decision, all receiver
>implementation should generate the same result on the same message
>(at the DKIM level). There should not be room for ambiguity and
>variability, this can lead to exploitation.
That is where implementation guidelines can help. If we want to
prevent ambiguity and variability, it will come at the cost of
restrictions on how email is used. If a domain elects not to have a
SSP record, we can assume that the owner does not want DKIM.
More information about the ietf-dkim