Blog

Blog Search

Search this site

Advertisements

Everything Else

Sponsor

Wood Watch Review

Google Custom Searches

Custom Blogger Search
Custom Sametime Search
Custom XPages Search

Subscribe

Subscribe via RSS

Recent Tweets

Hosting by

You are here: Home › Blog

Feedback from my last posting on DomainKeys


Tags :


I saw I had one lonely comment on my last posting and was actually excited to see Chris Linfoot himself commented.  I don't go nearly as in depth as he does when talking about Domino and SMTP stuff (mainly because one area I want to do I am still under contract with The View not to write up for now).  But he linked to a posting of his that went into great detail that I enjoyed reading, as well as you should.

So let's just follow along on more of my thoughts and let the two postings work together.  Chris covers header changes and brings up a point I was getting to on the receiving side posting I was going to do actually.  Many of you scan, add fields and make all sorts of changes.  My thought here is that to make this work the right way would be an investment on the receiver side to place a SMTP box that does nothing but check DomainKeys before sending the message through.  This box would not scan, add fields, or do about anything but verify integrity.  This whole thing also assumes that the sender does nothing to the message past the point of the sending server that is listed with DomainKeys.

So Chris summed it up right there.  If there is changes made to the message after the sending and before the DomainKey can be verified, there is huge flaws in this plan.  While whitelisting is something I have been playing with internally, it has a long way to go since you require management of a private DNS whitelist or, you have to trust a public one, just as you do the blacklist sites.  I also pondered one thing, and that has to deal with S/MIME and keeping the encryption and digital signatures separate.  I would imagine the content is of course S/MIME and the wrapper of the message is DomainKeys, but what about digital signatures.  This is all leading me to a complete rewrite for verification that would cover all three.  I could see this draft coming somewhere down the road.  A single source solution that would eliminate having to keep track of whitelists, blacklists, keys for individuals and encryption.  A buffet of sorts.

I can see abuse of public whitelist servers, of people trying to get themselves listed.  How would that occur?  Well some sort of verification one would presume right?  And even if a domain is whitelisted, who is to say that is where it came from, or what if the sending SMTP host differs from the domain, as many of you companies do now.

OK, I had people coming in the office so I rambled through 14 topics in a short time, sorry about that.