[ietf-dkim] user level ssp
Douglas Otis
dotis at mail-abuse.org
Thu Sep 7 09:45:52 PDT 2006
On Thu, 2006-09-07 at 08:24 -0700, Michael Thomas wrote:
> That may be a use (though pretty unlikely to me), but the use case
> that I've heard of is more aimed at securing things like
> statements at bigbank.com without having to say "I sign everything" for
> the entire domain which is assumedly a lot harder. The thing about
> this is that you can alternately set up a record for
> statements at accounts.bigbank.com or some such which would work the same
> way.
The account the recipients expect to see is <statements at bigbank.com>.
When this message is signed by "d=accounts.bigbank.com", then this
prevents semantics that would allow the email-address
<statements at bigbank.com> to be assured as being valid. This misses the
goal of offering a high level of assurance. In fact, this will likely
reduce the level of assurance annotations. : (
When the recipients start seeing the email-address
<statements at accounts.bigbank.com>. then they become more prone to cousin
and look-alike attacks, such as <statements at accounts-bigbank.com>.
Using this technique at the signing domain reduces assurances the
email-address is valid. Using this technique at the email-address
increase exposure to look-alike attacks.
-Doug
More information about the ietf-dkim
mailing list