[ietf-dkim] DKIM Threat Analysis v0.06

[SM]

At 09:08 18-08-2005, Scott Kitterman wrote:
>It isn't entirely clear to me exactly where DKIM wants to live in 
>this chain.  Is it a tool for the SMTP server to reject messages 
>from SMTP clients that are doing something unauthorized?  Is it a 
>tool for post-acceptance filtering and routing in the MDA?  Is it a 
>tool meant to give MUAs information to display to end users?

There has been a lot of discussion about rejection.  Up to now, we 
have "rules" and RBLs to reject "bad" messages.  Mail filtering also 
has a negative impact on mail delivery.  DKIM also provides the 
building block for whitelisting mail.  It can also be abused as we 
have seen in the discussion about replay attacks.

>Given the transient nature of information in DNS, I think that any 
>technology that relies on DNS needs to be primarily a tool for the 
>MTA with the potential for secondary use at the MDA level if the 
>latencies are low enough.  For MUAs, results need to be captured by 
>the MTA/MDA for display by upgraded MUAs.

The MUA may not be on an "always-on" connection or it may not have 
the capabilities to do DKIM verification.  That is where the 
Authentication-Results header comes in.

Regards,
-sm