[ietf-dkim] CNAME's
Michael Thomas
mike at mtcc.com
Wed Jul 5 13:09:51 PDT 2006
Mark Delany wrote:
>On Wed, Jul 05, 2006 at 08:37:52AM -0700, Michael Thomas allegedly wrote:
>
>
>
>>>>It's my belief that DKIM selectors don't allow CNAME's. Am I correct?
>>>>
>>>>
>
>
>
>>First off, lets suppose DKIM's query mechanism were a lot like it is
>>today, but
>>the base mechnism didn't have CNAME's. Suppose that somebody proposed
>>that we should introduce them as a feature. What are:
>>
>>
>
>[ the costs, risks, benefits ]
>
>While interesting, as a practical matter, most verifiers would have to
>go to extraordinary length to reliable detect CNAMEs so I think the
>question is mostly moot unless it can be shown that there is a risk
>unique to DKIM.
>
>
Well, here's one: DKIM often runs during the incoming SMTP conversation
with its inherent timeouts. Can attackers exploit that fact? What should a
developer do to minimize risk?
Mike
More information about the ietf-dkim
mailing list