[ietf-dkim] 1365, with a question about the "we never send mail"
Douglas Otis
dotis at mail-abuse.org
Mon Oct 16 10:47:48 PDT 2006
On Oct 14, 2006, at 10:06 AM, Dave Crocker wrote:
>
> The working group is focused on DKIM. As I understand it, our work
> on SSP is therefore in support of DKIM. A flag that says "we
> never send mail" is not specific to DKIM.
>
> SSP is being defined as an extensible mechanism and we are
> populating it with some initial set of DKIM-related flags. Nothing
> constrains what flags can be added later.
With the ability of a key to be located in a parent domain, the issue
of repudiation becomes a greater concern when there is a desire to
thwart phishing attempts. Fewer delivery issues are created when
there is an ability to indicate:
1) the specific domains sourcing and signing their messages,
2) their avoidance of services that might damage signatures.
One attack scenario would be a message using a sub-domain email-
address with a broken signature referencing a valid key. Without
these two essential indicators, blocking such messages will likely
prove highly disruptive for those domains not being phished.
Excluding sub-domains with an assertion "this domain never sends
mail" is essential as it permits stricter treatment in this special
case. Rather than the misleading "we" change the statement to
"this domain does not send mail." This domain can easily be a sub-
domain of a phishing target that does use DKIM. It also seems
unlikely a domain that does not use DKIM will bother to make such a
DKIM specific policy statement.
-Doug
More information about the ietf-dkim
mailing list