[ietf-dkim] Re: 3rd party signing
william at elan.net
Mon Jul 31 12:19:43 PDT 2006
On Mon, 31 Jul 2006, wayne wrote:
> In <20060731150944.11804.qmail at snake.corp.yahoo.com> Mark Delany <MarkD+dkim at yahoo-inc.com> writes:
>> On Mon, Jul 31, 2006 at 09:59:19AM -0400, Bill.Oxley at cox.com allegedly wrote:
>>>>> The statement that I sign only my own mail makes perfect sense.
>>>> If I have a message with your valid 3rd party signature, meaning that
>>>> you've published the key, and your SSP says you sign only your own mail,
>>> You believe both and apply a receiver policy determined by yourself that
>>> will handle a message with an anomaly,
>> I'm with John on this. I don't see any merit in constructing a system
>> that allows anomalies soley for the purpose of giving a receiver less
>> certainty and more work to do.
print "-1\n" while +1;
> This is much like the reason I don't like stuff in the rDNS that
> indicates that "this machine should never send email". If you want
> that policy, do port 25 blocking. Don't make the rest of the world
> try to figure out whether you screwed up on your security or you
> screwed up on you published policy. And, have to do that all after
> receiving the traffic.
My ISP operational & experience is that just filtering on outgoing side
is not enough and eventhough you try to do the right thing the eventually
your system will get compromised in some way and there needs to be a
backup plan that takes over. So there is nothing wrong with policy
record that says I don't sign emails at all or I don't sign somebody
elses email. And if receivers believe this policy is not useful and
not necessary of course they will just not check for it or ignore it.
[OT to this WG list follows]
For port25 blocking outside is also true that many ISPs are just not
willing to filtering on their outgoing network end (for various
reasons some having to do with legal agreements) but may well be
willing to mark their network as part of adding PTR records. This is
also OT to this group but after some time I came to conclusion that
if we have PTR email policy records, we should not allow easy way
to add them to entire ip block and should instead force to add record
for each ip address in the same way they'd do it when adding PTR.
This is to make sure ISPs actually are maintaining it all properly.
william at elan.net
More information about the ietf-dkim