On 21 Jun 2011, at 19:47, Douglas Otis wrote: > On 6/17/11 1:05 PM, Rolf E. Sonneveld wrote: >> Dear all, >> >> after some off-list conversation with Dave he suggested I might want to >> send this to the list. I apologize in advance if this message does not >> apply to you. I also apologize if you get this message twice, when you >> are subscribed to both ietf-dkim and the opendkim list. > [] >> Regards, >> /rolf > > Hi Rolf, > > The general goal of DKIM was to establish a domain relationship as a > trust basis for acceptance. DKIM was also to allow incremental > deployment without requiring undefined additional filtering performed by > mail transfer or mail user agents. When essential format checks are > skipped, this deficiency allows acceptance based upon DKIM's domain to > be potentially deceptive where its results may play an evil role that > cannot be repaired through the use of reputation. > > Free email providers likely use DKIM to take advantage of their "too big > to block" volumes. For these domains, their reputation is understood to > offer little assurance of their overall integrity. By allowing a > pre-pended From header field to not affect the validity of a DKIM > signature according to the specification means the UNDERSTOOD source of > a message can NEVER be trusted. > > Those that phish by taking advantage of this flaw are unlikely to affect > the acceptance of any exploited high volume domain. DKIM could have > avoided the offering of false assurances by not ignoring illegal header > fields per RFC5322 and defining such messages as resulting in invalid > signatures. At this time, it would be prudent to NOT recommend use of > DKIM due to this and a lack of required Fake A-label detection.
This seems like a completely bogus argument to me. You're saying that some domains can't be trusted, therefore none can be trusted. That's a logical fallacy. Sure, gmail.com can't be trusted because they'll sign even spoofed emails. So, my server won't be configured to give a pass to emails signed by gmail.com However, that doesn't mean that I can't be more lenient with respect to emails signed by, for example, subdomains of .gov.uk, which might well be better managed. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
