[ietf-dkim] Change to Section 6
Douglas Otis
dotis at mail-abuse.org
Fri Jan 19 14:16:13 PST 2007
On Jan 19, 2007, at 1:35 PM, Paul Hoffman wrote:
> At 9:59 AM -0800 1/19/07, Douglas Otis wrote:
>> On Jan 19, 2007, at 3:57 AM, Stephen Farrell wrote:
>>> 6. Verifier Actions
>>> ...
>>> Since a signer MAY remove or revoke a public key at any time, it
>>> is recommended that verification occur in a timely manner. In
>>> many configurations, the most timely place is during acceptance
>>> by the border MTA or shortly thereafter. [In particular,
>>> deferring verification until the message is accessed by the end
>>> user is discouraged.]
>>
>> This precaution should be removed!!
>
> I disagree with Doug and agree with the wording in the current
> document.
Paul,
Would you explain the reasoning for discouraging verification at the
MUA?
When annotations are applied by the MUA based upon email-addresses
trusted by the recipient (which is how recipients might achieve look-
alike spoofing protections at no cost), then verification should take
place at the MUA and not at the MDA. While DAC listed signing-
domains might provide a category of annotation that can be applied at
the MTA, there are many cases where third-party assurance is not
required for protection to be realized. Discouraging verification at
the MUA seems aimed at only permitting third-party assurances as a
means for annotating messages. : (
What prevents public keys from remaining available for a reasonable
period to accommodate MUA use? What annotation criteria can be
safely applied at the MDA? How can verification results be safely
communicated to the MUA for email-address specific annotation?
-Doug
More information about the ietf-dkim
mailing list