[ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIM
and (eventual) IETF DKIM
earl at earlhood.com
Mon Oct 17 16:02:18 PDT 2005
On October 17, 2005 at 09:07, Dave Crocker wrote:
> 2. Incompatibility comes in a variety of forms. I think that for our
> purposes, the most significant different is between a change that
> permits senders to continue with their old behaviors (over the wire) and
> still have signatures work for receivers who have upgraded. By
> contrast, requiring both senders and signers to change, in order to
> interoperate, is a massive barrier to entry for the installed base.
Hector raised a good point about attackers being able to exploit
this. I.e. If standardized DKIM is more secure, attackers will
exploit the legacy user base to get around the more secure version.
A good example is the flaws in SSP that facilitate spoofing.
People who have adopted DK/DKIM now should realize that the technology
is experimental, willing to take the risks and costs associated
with deploying experiments.
It is definitely worth considering the current user base of the
experimental proposals since not doing so can hinder adoption. However,
security matters should trump this, especially if vulnerabilities
are already known.
More information about the ietf-dkim