[ietf-dkim] draft-ietf-dkim-base-08 submitted
Douglas Otis
dotis at mail-abuse.org
Fri Jan 19 10:23:07 PST 2007
On Jan 19, 2007, at 10:06 AM, <Bill.Oxley at cox.com> wrote:
> I thought this was resolved via an expiration date x= flag. With
> this flag set a mua could certainly know whether a signature was
> still valid before attempting to verify it.
The critical element should be whether the message's signature had
expired prior to delivery, which can be determined by checking when
the message was received. This check could be made days later and
yet safely used to abate abusive replay of messages. There is no
need to rapidly remove valid keys and thereby make MUA verification
precarious. Retaining public keys for a reasonable period would be a
reasonable strategy. Implying that all checking must be done by the
MTA fails miserably in efforts aimed at protecting recipients. DKIM
is not only about ensuring the acceptance of bulk email by the MTA.
-Doug
More information about the ietf-dkim
mailing list