[ietf-dkim] draft-fenton-dkim-threats-00
Michael Thomas
mike at mtcc.com
Thu Oct 13 14:05:55 PDT 2005
Earl Hood wrote:
> In order to provide a better assement on the value of a DKIM domain
> identity, it would help to know the role it played in the transmission
> of a message. For example, an originating domain signature may have
> a different weighting by recipients from a forwarding domain signature
> when determining if the message is acceptable.
The main problem with roles or any other assertion that
cannot be independently verified is that they cannot
be trusted by the receiver. If there's some sort of
advantage to asserting a role which cannot be verified
independently, then attackers will exploit it.
About the only "role" I think we can acertain with any
certainty using the DNS hierachy as the trust root
is that a domain asserting an identity has a relationship
with one or more of the origination identities (or not).
This can be independently verified since there is a
relationship between the domain suffix of the 2822 address
under consideration and the corresponding DNS tree. Beyond
that, I don't know what verifiable roles DNS can provide.
Mike
More information about the ietf-dkim
mailing list