accept, deny,
or other delivery decisions (was Re:[ietf-dkim]SSP=FAILURE DETECTION)
Douglas Otis
dotis at mail-abuse.org
Wed Sep 13 10:16:37 PDT 2006
On Sep 13, 2006, at 4:35 AM, Hector Santos wrote:
>>> It is because of that inconsistent DKIM reception handling
>>> unknowns between different systems, we risk encouraging DKIM bad
>>> actors to proliferate against the new creation of different
>>> potential targets.
>>>
>>> In summary, the concern is that there is a risk when you don't
>>> have a common DKIM-BASE handling concept.
>>
>> Could you give a simple example of this risk? Please be brief.
>
> Real world example - DNSRBL
A bit too brief. : )
I assume you mean RHS-Block-lists based upon the DKIM signing domain?
Whether bad actors use DKIM or not does not appear to represent any
added risk.
The limitations in a DKIM signing domain assessment will be exploited
by bad actors. DKIM has a rather major limitation requiring a
message envelope to be considered independently from that of the
signing domain. This means there _are_ substantial risks for the RHS-
Block-List operator. This limitation requires stronger evidence of
behavior approaching that of a criminal nature. This requirement is
well beyond what is normally adequate for listings in IP address
block-lists.
Could you clarify your concern with simple example that illustrates
what you want to see changed. Again please be brief, but do provide
the example.
-Doug
More information about the ietf-dkim
mailing list