[ietf-dkim] Possible C14N incorporating MIME decoding
hsantos at santronics.com
Fri Dec 8 09:55:29 PST 2006
Douglas Otis wrote:
> On Dec 8, 2006, at 7:05 AM, <Bill.Oxley at cox.com> <Bill.Oxley at cox.com>
> Signing is not limited to the MTA, it can be done at the MUA. In
> addition, protections afforded by DKIM requires the MUA to verify
> signatures or obtain trustworthy signaling from the MDA.
I'm sorry. What section in the DKIM specification does it say it
"requires the MUA to verify signatures"?
> Blocking at the MTA can not offer adequate protection.
> It would be wrong to expect blocking at the MTA via restrictive
> policy produces a significant effect on the level of abuse.
Bad Guy uses my domain.com at site XYZ. Site XYZ looks up my policy and
finds he wasn't suppose to use my DOMAIN.
Whas wrong with expecting this is not a highly probably event?
> Blocking via policy definitely does _not_ offer
> much in the way of protection, but will require a significant level of
> support explaining why various messages are being rejected.
- A domain does not expect mail. Pretty good protection
- A domain requires mail to be sign. Pretty good protection
Those two along will cut down a very significant amount of the most
common exploitations without requiring any feedback whatsoever.
More information about the ietf-dkim