MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues
Hector Santos
hsantos at santronics.com
Tue Jun 5 14:25:26 PDT 2007
Damon,
You're right. I meant the NO-MAIL policy in my paragraph below. To me,
the fundamental "natural laws" for DKIM or any SIGNING concept is:
- I ALWAYS SIGN THIS DOMAIN
- I NEVER SIGN THIS DOMAIN
- SIGNED OR NOT SIGNED, DO NOT EXPECT MAIL FROM THIS DOMAIN -
WE DON'T USE THIS DOMAIN FOR EMAIL. PERIOD.
- NO ONE BUT MY DOMAIN SIGNS (no 3rd parties)
- OTHERS CAN SIGN (Preferably from an authorized list)
It really has nothing to do with the validity of the signature. The
mere fact that one of the above may conflict with the domain
expectations is a protocol violation in itself.
And what is very important, which what DSAP was all about, they can all
easily happen naturally in practice directly and indirectly - hence a
security issue.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
Damon wrote:
>> The DKIM "Policies Concept" design MUST include a "I NEVER SIGN" or "NO
>> SIGNATURE" domain expectation concept as a requirement. This is a
>> fundamental protection for the otherwise unprotected DKIM-BASE signature
>> process and now that we are discussing wild cards and sub-domains, this
>> no-signature idea becomes even more prevalent.
>>
>> --
>> Sincerely
>>
>> Hector Santos, CTO
>
> I hope someone can straighten me out on this because I am getting a
> little confused.
> There is a difference between "I Never Sign" and "I send no mail".
> While I actually support BOTH, I didn't think that "I Never Sign" was
> in question.
> Is it?
>
> Regards,
> Damon Sauer
>
>
More information about the ietf-dkim
mailing list