Douglas Otis:
>
> On Sep 6, 2006, at 4:38 PM, Wietse Venema wrote:
>
> > Jim Fenton:
> >> The aspect of user-level SSP that concerns me equally is the
> >> transaction load. When user-level SSP is "turned on", the
> >> verifier MUST query for a user-level record in addition to the
> >> domain-level record. User-level queries are not as effectively
> >> cached, since these are queries for individual addresses, not
> >> domains.
> >
> > Could someone please explain the nature of the problem that would
> > exist when these (financial) institutions can't selectively add
> > DKIM signatures to outbound email? Engineering is about balance,
> > but I haven't heard enough to make the trade off yet.
>
> An institution that signs all their messages may wish to restrict
No offense intended, but I had hoped that someone else could answer
the question, instead of the one voice that I hear advocating this
item several times a day.
> > With per-user records in the DNS, should we not be worried about
> > brute-force attacks to guess email addresses?
>
> Why? The signature must be valid and the email-address must be
> assured to be valid. How is the email-address susceptible?
I can answer that. Exploitation of the mapping from recipient
address to DNS record name, by the application of brute force.
I expect that hammering a DNS server would be much faster and much
stealthier than hammering an SMTP server.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
