Re: [ietf-dkim] Change to Section 6

[Douglas Otis]

On Jan 23, 2007, at 8:50 AM, Hector Santos wrote:
Douglas Otis wrote:
On Tue, 2007-01-23 at 10:07 -0500, [EMAIL PROTECTED] wrote:

Authoritative statements made by a DKIM aware MUA is a good  
thing. However from an ISP perspective I would not depend on an  
end user to have a DKIM aware MUA but will verify and do Policy  
silently at my edge MTA devices. Any mail that makes it past  
there can still be acted upon by the MUA.

There are millions of new domains added and removed every day.

And if true, any given average node only sees 0.001% of them if that.

How is this relevant?  New domains are often exploited before a  
registry can compile and transfer what has changed.  For ".com" there  
might be a 12 hour lag in noting the millions of new domains, which  
is a short interval compared to some TLDs.

Should the MTA verify DKIM signatures before applying filters?

Thats out of your control.

Verifying DKIM signatures after applying filters informs bad actors  
what has slipped through.  Unless a valid signature permits the  
filter to be bypassed, there is little value validating a signature  
afterwards.  Verifying all signatures ahead of filters will increase  
require resources.  Verifying all DKIM signatures adds cost and opens  
the door to DDoS concerns without tangible benefit.  When the MTA  
will bypass spam or phishing filters based upon specific signatures,  
these are the only signatures logically that should be validated.   
The MUA can also be highly selective by only validating signatures  
trusted by the recipient.  Such a strategy reduces resources demanded  
by DKIM deployment, and will not leak critical processing information  
to bad actors.

Don't forget about Display-Name only, clever use of UTF-8, cousin  
domains, and  obfuscations making it appear as though the email- 
address is displayed.

So if the MTA can't handle it, we'll pass you that junk so you can  
deal with it.  A six pack your MUA can't deal with it neither!

There should not be any expectation that all signatures have been  
verified.  Logically only those signatures that might rescue a  
message from being rejected should be checked.  This checking should  
be selective and happen ahead of other filtering.  Essentially this  
means that not all signatures should be checked.

There are millions more MUAs than there are MTAs.  This may suggest  
which MTA versus MUA effort might be better at scaling.  How about a  
bottle of Cabernet versus your six-pack? : )

-Doug



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html