[ietf-dkim] "I sign everything" yes/no
Hector Santos
hsantos at santronics.com
Tue Nov 21 15:31:28 PST 2006
J.D. Falk wrote:
> But this message isn't signed (and/or the signature is invalid, which
> base says is the same thing.) How do I find out whether or not the
> First Amalgamated Bank of Example thinks that they sign all of their
> messages? That should be a simple, binary operation, right? I really
> don't care about anything else the sender may want to assert.
>
> Should that be in SSP?
Yes. It is a simple DNS query.
> Should it be in something else?
No, not if its not a standard.
> Should I encourage all of the banks to use a non-standardized
> external mechanism while y'all argue?
No, not in my view, because exploiters will use that special YAHOO/BANK
non-standard process against other systems in yet another attempt to
mask the message as legitimate. In fact, in my technical opinion, you
might put the bank at risk by encouraging a non-standardized method.
Hector Santos/CTO
http://www.santronics.com
More information about the ietf-dkim
mailing list