[ietf-dkim] The key record upgrade attack
Hector Santos
hsantos at santronics.com
Fri Aug 4 09:46:02 PDT 2006
----- Original Message -----
From: "Stephen Farrell" <stephen.farrell at cs.tcd.ie>
> (As an aside - I could imagine someone wanting to allow SSP to say
> something like "if you encounter error <foo> when processing a
> message apparently from me, then I'd recommend that you <bar>"
> and where we'd define a foo="unsupported sig-alg" and maybe have
> bar="barf". But that leads down the mandating-recipient-behaviour
> rathole and may be better tried out via whatever extensibility
> mechanism ends up in SSP.)
I view this not as a mandate, but as a declaration or an "advisement" of not
wanting to take responsible for any failure seen based on some possible
mispresentation.
Sort of like:
"if you find an error <foo> from a signed message purported from
me, please do me a favor and yourself a favor and get of it.
We will not be responsible for it, but if you want to keep it
thats up to you."
After all, why go thru the trouble of signing the message if you don't care
for the disposition of the message? Signing a message should have a reason
and purpose behind it. No? The "Cross my finger, hope I make it" just seems
really risky.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
More information about the ietf-dkim
mailing list