[ietf-dkim] suspicious and SUSPICIOUS
Douglas Otis
dotis at mail-abuse.org
Mon Oct 1 11:21:13 PDT 2007
On Oct 1, 2007, at 8:37 AM, Michael Thomas wrote:
> Charles Lindsey wrote:
>> The only real solution to this problem is for B to add an
>> Authentication-Results header (see the Mail-Vet-Discuss mailing
>> list), and to incluide that header in is own signature. Maybe that
>> is veering off topic for this list, but at least there should be a
>> pointer to that sort of possibility.
>
> This doesn't work in the abstract because Auth-res isn't
> necessarily trustable across domains, and in fact I often don't
> trust who produced it even if it could be authenticated.
With the tpa-ssp extension for ssp, it is possible for an email
domain to indicate which DKIM domains are authorized. This scheme
scales to any number of authorizations without inducing a large
number DNS transactions.
http://www1.tools.ietf.org/wg/dkim/draft-otis-dkim-tpa-ssp-01.txt
This extension is also able to specify which originating headers are
permitted. The authorization list is intended to ensure hashed
domain name collision is not possible.
-Doug
More information about the ietf-dkim
mailing list