----- Original Message ----- From: "John Levine" <[EMAIL PROTECTED]> To: "Wietse Venema" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Sunday, August 27, 2006 11:41 AM Subject: Re: [ietf-dkim] Re: Responsibility concerns with DesignatedSigningDomains
> Actually, I think the problem is that people want to read > way too much meaning into a DKIM signature. If a message > is signed by blah.com, all that means is "if you don't > like this message, blame blah.com." That's it. Despite > quite a lot of loud wishful thinking from people in my killfile, > .... You know John, your mail would be so more delightful and interesting to read, as was this one, with valid points, if such ignorant and nonsense statements was kept to yourself. > This is an important deliberate design decision. In my case, > for example, I expect to sign all the outgoing mail at my MTA > with my main domain, even though I have users who send mail in > about 200 vanity and small biz domains. So long as my users > behave, which they do, there is no point to trying to match > up signatures with From: lines and the effort to do so would > be so great that I wouldn't, anyway. Fair enough. But consider this: The evolving bad actor will now know the existence of DKIM ready John.com and like systems out there. They will know they have a way to blast mail with a higher phishing confidence in attacks against other remote systems around the world using your domains and user email addresses information. Example: A phish/spoof to OTHER systems, not from your users or system. From: User @ ChezJohn.com To: PoorShmuck @ PhishingTarget.com Subject: Some enticing topic Sender: Joel @ TrustMe.com DKIM-Signature: d=John.com; # fake/invalid 1st party DKIM-Signature: d=TrustMe.com # valid 3rd party So it is not just about *you* and how well behave your social network or users are, but how bad actors very easilly begin to use *you* to exploit others. > Finally, don't forget that recipients have great latitude in > their interpretation of DKIM signatures. If you don't think > that third party signatures tell you anything useful, you > can always ignore them. That's very true. DKIM MUA Market will have a role. We have it planned to update our Mail Readers to support DKIM too. But so will the DKIM SMTP market have a major role too as the centralized source for its user network. The clear direction in the security market is to be more proactive in preempting malicious behavior (default OFF). Passing the buck to the user has been shown to not work very well. Of course, with smarter readers, it will help. But we can't assume the market of users, especially those outside your own social network, will be using the required special DKIM MUA. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
