On Tuesday, February 07, 2012 10:42:46 PM Murray S. Kucherawy wrote: ... > Still in WGLC until Friday. Have at it. ...
In paragraph 11.2 (forgeries), the last section of it: Perhaps the simplest means of mitigating this threat is to assert that these reports should themselves be signed with something like DKIM. On the other hand, if there is a problem with the DKIM infrastructure at the Verifier, signing DKIM failure reports may produce reports that aren't trusted or even accepted by their intended recipients. I think it would useful to mention both SPF and DKIM here as one may offset failures in the other (along the lines of what DMARC is doing). Proposed text: Perhaps the simplest means of mitigating this threat is to assert that these reports should themselves be signed with something like DKIM or authorized with SPF. On the other hand, if there is a problem with the DKIM infrastructure at the Verifier, signing DKIM failure reports may produce reports that aren't trusted or even accepted by their intended recipients. There may be similar issues with SPF evaluation. Use of both technologies can mitigate this risk to a degree. Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
