On Sun, May 10, 2015 at 9:53 AM, John Levine <jo...@taugh.com> wrote:
> >Under at least one of the proposals, it can be determined that "yes, A > >signed the mods, and if the mods are removed to re-generate the original > >message, B signed the original message". If we have that, then I think > >the question becomes: if this is to be a DMARC-like scheme, how do we tie > >A's signature to some kind of relevant header field, since the "From:" > >header is already "reserved" for the original signer. > > You don't even need to be able to tell what part of the message is > attributable to which party. All you need to know is that the first > signer considers it to be close enough. > > Remember the key axiom of mail reputation: you cannot say good things > about yourself, only neutral or bad things. (This should be obvious > if you think about it for a moment, since any assertion a nice sender > can make, a nasty sender can also make.) Good stuff has to come from > trusted third parties, and given the difficulty of establishing trust, > that means the number of third parties has to be small. > This is an interesting observation when compared to DKIM and SPF, where you only actually know something about the message when they report a "pass". But that's authentication, not reputation. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
