[ietf-dkim] DKIM SSP: Security vulnerability when SSP record does
dotis at mail-abuse.org
Wed Aug 24 14:55:26 PDT 2005
On Aug 24, 2005, at 1:55 PM, Scott Kitterman wrote:
> Is it your view that DKIM-SSP ought to be in scope or out of scope
> for the initial work of the working group?
DKIM should focus upon verifying the sending domain, and imparting
controls permitting accountability for subsequent abuses signed by
Better progress could be made by limiting the mailbox-addresses'
relationship with the signing domain to that of perhaps the scope of
a recommended binding. This scope may vary due to less trustworthy
keys, for example. The use of the binding and the specific mailbox-
address would be left to the MUA engineer. In that respect, i= would
be opaque and not directly relate to a mailbox-address (out of
privacy concerns), but rather to some static element or sequential
identifier specially added to enhance opportunistic identification,
message replay abuse abatement, and abuse correlation.
Expectations that DKIM will directly eliminate specific behaviors
related to mailbox-addresses should be squelched. DKIM, as a tool,
has significant value without attempts to support often unjustified
claims. As such extensions into the mailbox-address space will
likely affect those designing the MUAs, it seems appropriate the
topic of validating the mailbox-address be discussed elsewhere for
that reason. This area of work is orthogonal to the goal stated above.
More information about the ietf-dkim