Doug, As I think I mentioned before, Section 2 doesn't deal with threats to DKIM, it deals with threats in the absence of DKIM. So this isn't the right place to bring up opaque IDs. Section 4.1.4 paragraph 4 discusses the potential usage of opaque IDs, which I think is the right context.
-Jim Douglas Otis wrote: > ,--- > | 2.3.2. Within Claimed Originator's Administrative Unit > | > | ... Since the submission of > | messages in this area generally occurs prior to the application of a > | message signature, DKIM is not directly effective against these bad > | actors. Defense against these bad actors is dependent upon other > | means, such as proper use of firewalls, and mail submission agents > | that are configured to authenticate the sender. > '--- > > While currently DKIM does not offer a standardized means to both track > and immediately revoke abuse emanating from the originating domain, > abuse of this nature represents a substantial portion of the abuse > problem. The dkim-options draft illustrates mechanisms comprised of > persistent Opaque-IDs and revocation records. By using a persistent > O-ID, the AdmD source of abuse can be tracked and readily reported by > third-parties. Resolution of the abuse is also made apparent by use > of the revocation record. This scheme neither exposes or depends upon > an email-address. > > http://www.ietf.org/internet-drafts/draft-otis-dkim-options-00.txt > > Should be: > : Although the submission of messages may be prior to the application > : of a message signature, submissions are commonly authenticated > : internally within the AdmD by mail submission agents. By including > : a persistent identifier within the signature, a substantial source > : for email abuse can be abated with the use of DKIM. The identifier > : itself can be block-listed by the sending domain immediately > : without requiring the expiry of a key TTL. Defense against bad > : actors is also improved with the proper use of firewalls and OS > : maintenance. > _______________________________________________ > ietf-dkim mailing list > http://dkim.org > _______________________________________________ ietf-dkim mailing list http://dkim.org
