Murray S. Kucherawy wrote: >> -----Original Message----- >> Alessandro Vesely
>> However, the other issue is to break or remove author domain >> signatures. John has pointed this out since a long time, for FBL >> reasons. Doug has brought out the same issue for replaying attacks >> aimed at breaking reputation, because replaying is definitely out of >> control in case of publicly distributed messages. > > What's the danger of replaying legitimate mail, other than > to cause volume detection alarms to go off? I think the issue is that we don't know what the assessors do, if anything. We won't know how stripping or keeping broken signatures will *warm* up these heuristic/reputation based assessors with indeterminate DKIM messages. BTW, it really has nothing to do with ADSP because it applies to reputation services as well. Here is a possible scenario: A ISP begins to offer a 3rd signing service to its email hosting domains, The ISP is intent to get its signing domain registered with every known reputation and domain certification service bureau existing or startups. So I sign up (at $5, $10 extra per month or free perhaps) and now all my mail is signed by the 3rd party ISP domain. I forget about all that and one day I see this great list I want to subscribe to. I do and unbeknowst to me, the list is blindly resigning the mail. Unless the LIST domain is part of the same "registration" the ISP did with all the new reputation and domain certification services out there, I now lost my $5, $10 value of using my ISP's 3rd party signing service - thru this list stream. Either way, it all goes back to a centralization concept of some form, network of reputation services or a self-asserting DNS domain policy. Until we have a understanding of how the many assessors will work, separately or in concert, we have no idea how indetermine DKIM mail will warm up these systems with stripped or kept broken signatures. In the mean time, the better solution possible today is to allow the self-asserting domain to declare it expectation and policies for mail distribution if only for one reason - to maintain a high benefit of 1st party signatures while you guys figure out how LIST systems ought to work. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
