On Sat, 2005-11-19 at 15:22 -0500, Hector Santos wrote: > You might have brow beating down Scott, but this is totally false because > the MTA can reject it before the MUA. It doesn't need a VISUAL presentation > or confirmation.
How is a look-alike domain rejected by comparing the From and signing- domains? > > The "broad" binding mode would offer the same ability to reject > > messages at the SMTP session as would the SSP 'o=!' policy, but in > > microseconds rather than seconds. > > Your DKIM options a heavy reliance on SMTP caching information, a > centralized reputation database, threatens the security of internal User > Account databases, and relies on an unestablished protocol called CSV/CSA or > whatever the name of the month it has. With this statement it is hard to decide where you have erred. While indeed this binding strategy caches information, this is no different than what is being done with DNS. In fact, DNS can be used as the storage/retrieval mechanism as only domain names are required which can be held in a zone. This caching strategy would also help in detecting other types of attacks. I don't know what security risk is created for user accounts. If anything, the user could be notified by the provider when their system has been compromised when opaque-identifiers are employed. Opaque- identifiers are not essential for the binding strategy, but they would reduce intra-domain spoofing. I would consider DoS protection afford by CSV a totally separate issue. Reputation of some sort remains an unfortunate fact of life, and is also a totally separate issue. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
