[ietf-dkim] [Fwd: I-D ACTION:draft-fenton-dkim-threats-02.txt]
Douglas Otis
dotis at mail-abuse.org
Thu Jan 12 13:59:34 PST 2006
On Jan 12, 2006, at 11:56 AM, Michael Thomas wrote:
> Eliot Lear wrote:
>
>> Mike,
>>
>> I think it depends on the prevalence of DKIM and the parameters of
>> the reputation service, which is out of scope and cannot be
>> standardized.
>
> I'm not suggesting it's in scope for anything here, just that as a
> _threat_ it's akin to any other kind of threat of people doing
> something Really Stupid(tm).
While this misuse of identifiers would be rather stupid, email
unfortunately is replete with Really Stupid(tm) tools. : (
> In this particular case, it would be the threat of somebody in the
> business that really ought not be if they can't understand why this
> the wrong behavior.
This concern was raised as there are motivators for doing the Really
Stupid(tm) things. When this creates added revenue and redirects
complaints to other hapless entities, then Really Stupid(tm) may look
Really Clever(tm).
> If this belongs anywhere, it's in a BCP.
This was being raised in the threat review for the consideration of
the use of "open-ended" affirmations used by SSP. Only allowing the
publishing of "closed" affirmations avoids this risk. SSP should
also be able to indicate that the record does not apply to sub-
domains for the same reasons.
-Doug
More information about the ietf-dkim
mailing list