On October 17, 2005 at 09:07, Dave Crocker wrote: > 2. Incompatibility comes in a variety of forms. I think that for our > purposes, the most significant different is between a change that > permits senders to continue with their old behaviors (over the wire) and > still have signatures work for receivers who have upgraded. By > contrast, requiring both senders and signers to change, in order to > interoperate, is a massive barrier to entry for the installed base.
Hector raised a good point about attackers being able to exploit this. I.e. If standardized DKIM is more secure, attackers will exploit the legacy user base to get around the more secure version. A good example is the flaws in SSP that facilitate spoofing. People who have adopted DK/DKIM now should realize that the technology is experimental, willing to take the risks and costs associated with deploying experiments. It is definitely worth considering the current user base of the experimental proposals since not doing so can hinder adoption. However, security matters should trump this, especially if vulnerabilities are already known. --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
