On Mon, Dec 12, 2022 at 1:13 AM Alessandro Vesely <[email protected]> wrote:
> > The alternative is to say: Well, if you can't make at least one of those > > two quantities bulletproof, then don't sign your mail. That, though, > > sounds a lot to me like tossing DKIM in the bin. > > On the opposite, if Gmail restricted signing to accountable users only, > its > signatures would gain value. If they started doing so it would soon be > noticed, and signatures would acquire a meaning in delivery decisions. > Is the cost of imposing a program that vets every user comparable to that of the damage caused by this attack vector? My impression is that it is not. Endowing signatures with a significant value increases the overall value of > DKIM. > Presumably they already have significant value. That's why this attack works already. The question is whether we should proclaim that the bar needs to be even higher, maybe even an all-or-nothing proposition. I'm suggesting that's not a good idea. -MSK
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
