> On May 6, 2015, at 4:45 PM, Douglas Otis <doug.mtv...@gmail.com> wrote: > > > Defending against DDoS is very difficult, but that was not > the concern. Collateral damage would be of legitimate > messages inadvertently blocked when removing a common DKIM > signature.
What do you mean by remove? You mean destroy, invalidate existing signatures? Keep in mind this MAY be desirable, in fact the DKIM STD76 theory is that resigners can occur blindly anywhere with the mail path. You don't have destroy the original integrity during resign, yet that transaction may be illegal (per policy) with the fact it has ben resigned. > There is also the challenge of managing a > double-signature re-signing process where it must be assumed > not all destinations receive a signature delegation. Even > this double signing process may prove problematic when it > goes beyond SQL query rates. SQL? <g>. Some folks are more optimized using ISAM/BTREE databases! > There is also another concern > regarding any phishing campaign permitted by effectively > signing unknown content. Only by removing DKIM signatures > from DNS would a DMARC domain be able to squelch a phishing > attack it inadvertently authorized. TPA-Label allows > authorization removal to be based on the destination domain > and even a specific list-id. TPA-Label would not impact any > existing DKIM signing process since authorization by > destination is managed by TPA-Label zones. > Doug, we know a positive result of a DNS lookup will work. I believe you wish to add more complex semantics on the parsing of the lookup results, I believe that's ok. But we need a basic yes/no query. Maybe it can be sold if we offer more bang for the buck on each call but overall, it needs to be very simple. -- Hector Santos http://www.santronics.com _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
