[ietf-dkim] Re: Responsibility concerns with DesignatedSigning
Domains
Damon
deepvoice at gmail.com
Sun Aug 27 03:50:11 PDT 2006
On 8/27/06, Frank Ellermann <nobody at xyzzy.claranet.de> wrote:
> Douglas Otis wrote:
>
> > Look-alike exploits exist without designated domains.
>
> Sure, but they sail under their own look alike flag. They can't
> "steal" the reputation of an ISP with millions of zombies for
> their criminal purposes. Admittedly that reputation won't be
> good, but still better than "eboy" = "unknown stranger".
How is this any different than what we are doing with reputation
systems based on IP right now?
>
> > Seldom does less information improve security however.
>
> Make sure that "eboy" is treated as the "unknown stranger" it
> is, even if isp.example.com signed it, and there's no problem.
> An eboy-SSP trying to change this should be ignored.
>
Basing reputation on key provider wouldn't be prudent. If I were a
less than honorable person, I would send all my spam using someone
with a good reputation (goodrep.com) as my DSD. My sig fails because I
purposely munged it, there is no policy saying that this should
definitely be rejected. Because goodrep.com can not publish all of the
domains that it signs for, it is helpless to do anything about this.
Regards,
Damon Sauer
More information about the ietf-dkim
mailing list