[ietf-dkim] DKIM SSP: Security vulnerability when SSP record
does not exist?
Scott Kitterman
ietf-dkim at kitterman.com
Sat Aug 20 09:51:07 PDT 2005
Dave Crocker wrote:
> On 19 Aug 2005 16:14:06 -0000, John Levine wrote:
>
>>> A third-party signature is a lot weaker assertion than an OA signature,
>>> unless you know something about the third party.
>>
>> Seems to me that no signature is useful unless you know something about the
>> signing party.
>
>
> That nicely summarizes the problem I have with the fixation of *requiring* a
> tie-in to the origination domain.
>
Oddly enough I haven't noticed anyone suggesting that the signing entity
must be required to be tied to the orgination domain.
What I have seen is a number of people suggesting that the marginal
utility of having a mechanism to *allow* a tie-in to the origination
domain is quite substantial, relatively easy to achieve, and a big boost
to incentives for domain owners to deploy DKIM.
I'm sure it won't surprise anyone that I find the resistance to this
simple concept extremely surprising and difficult to fathom.
Scott Kitterman
More information about the ietf-dkim
mailing list