[ietf-dkim] New Issue: 4.2 needs
new Attack Item: InconsistentSignature vs Policy Attacks
Dave Crocker
dhc at dcrocker.net
Tue Jan 31 10:09:21 PST 2006
> The non dkim compliant mta who hasn't deployed dkim yet or knowing much
> about it places a rule stating that signed messages should be allowed to
> travel inbound without further checking because dkim is new and safe.
non-dkim compliant, but nonetheless makes a policy decision based on the
presence -- and not even the validity -- of a signature?
that sort of receive-side behavior seems sufficiently misguided that I can't
imagine a need to protect against it by our work.
> A dkim compliant mta will do a dip on my dns records and find no ssp or
> dk record and drop the message as non compliant.
if the signature succeeds, why do they need to check ssp?
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
More information about the ietf-dkim
mailing list