[ietf-dkim] Requirements on how SSP stuff is found...
Douglas Otis
dotis at mail-abuse.org
Fri Jul 28 15:52:45 PDT 2006
On Jul 28, 2006, at 3:35 PM, Dave Crocker wrote:
>
>
> Mark Delany wrote:
>>> How do you then decide which policies to check? Does this mean
>>> that you need to check every address corresponding to a From,
>>> Sender, Resent-from, Resent-sender, 2821 envelope-from, and List-
>>> id, ...
>>
>> Right. The "Which I" problem.
>
> Indeed. I suspect the challenge, here, is to decide which *few*,
> real threats are serious enough to warrant a solution.
>
> By contrast, an exhaustive exercise to think of every possible
> scenario that we might feel like covering seems like a good way to
> a) reduce the overall relevance of the work, and b) make the
> mechanism big enough and complex enough to be difficult to
> implement properly.
There needs to be a strategy to limit the number of signature
verifications and identities checked, or the verifications and
lookups themselves may create a threat.
Originator Address (OA) (2822.From(s))
Current Address (CA) (2822.Resent-Sender-> Resent-From(s)-> Sender-> OA)
Limiting the effort to the OA seems appropriate. Is there a
significant threat related to CA spoofing?
-Doug
More information about the ietf-dkim
mailing list