On Aug 2, 2006, at 1:59 PM, Hector Santos wrote:
DKIM was attractive because it offered a way to resolve the IP
forwarding problem and also offer strong, exclusive policies. So
since day one, I repeated the same mantra here, with no reason to
believe history will not repeat itself:
DKIM relax policies are weaker than exclusive policies
and thus are the most exploitable policies.
I do not agree. It really depends how DKIM is used. When DKIM is
used as a means of recognition, where policy provides information
related to what is "authoritative", then those messages that are not
recognized will receive appropriate levels of scrutiny. DKIM can not
prevent someone from sending unsolicited bulk email using their
"domain of the day" from a list of previously owned domains acquired
years ago.
Those wanting to send in bulk will attempt to publish policy that
they expect will make them appear reputable. An abusive sender of
bulk email will not care whether these policies break common
services, such as mailing lists. While there are exceptional cases
where transactional messages in commerce are being heavily phished,
an expectation that exclusive policies will halt phishing is
unfortunately flawed, as noted in the Threat draft. : (
The retention of authoritative DKIM information at the MUA can be
used to apply annotations that will meet the expectations of
effectively thwarting the current spat of phishing attacks, without
breaking common services or relying upon reputation services. : )
When email is used to send more than just bulk messages, claims of
exclusivity remain problematic. Unlike SPF, a non-exclusive policy
will not change an invalid into a valid signature. While it may be
true there was a shift in the population of "exclusive" SPF records,
this likely relates to how these records are now being used. AOL
required these records for white-listing of bulk senders. Worried
about other clients impinging upon their reputation, exclusivity
blocks other clients from also referencing their white-listed
records. This exclusivity however has a significant downside, just
as it does for DKIM, even though with different services.
Here a possible cause for the drop of adoption has been attributed to
problems created by exclusive records:
http://hxr.us/blojsom/blog/grumpops/computers/anti-spam/?
permalink=SPF_Adoption_Nosedives.txt
Authoritative information will allow broader adoption of DKIM with
simpler autonomous management schemes. Exclusivity assertions will
likely represent a short-term stop-gap measure. Not asserting
exclusivity by those being phished likely depends upon greater
adoption of MUAs intelligently making use of DKIM related
information. This stop-gap measure, if nothing more than to prove
its eventual futility, should be just a flag that claims exclusive
use of designated signing domains. The other setting in your scheme
seem overly complex and unnecessary.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
