(Catching up on list traffic, hence the late response...) On 2005-08-14 22:30:01 -0700, Dave Crocker wrote:
> There is nothing in an ordinary email message, except for > the RCPT TO line and the IP address of the host that sent it > to you, that is a reliable identifier. A validated DKIM > signature lets you take some reasonable subset of the > message you received and know that it came from a designated > source. The main benefit of DKIM is that a validating agent > can know where the message came from. This is more > reliability than email source identification has ever had > before. > How do folks feel about this characterization of DKIM? What does "know that a message came from a designated source" mean? There are (at least) two possible interpretations of these words. One interpretation is that the recipient knows that the sender sent this particular instance of the message to him. To make this happen, one would probably want to sign (message-id, message-hash, envelope sender, envelope recipient) tuples (maybe with RFC2822.from instead of SMTP.mailfrom) -- making the (strong) assumption that message-IDs, all other elements being equal, can serve to disambiguate between different chains of SMTP transactions. DKIM does not do this. The other interpretation would be that a given sender has approved a certain message for sending -- period. No assurance about the recipient or binding to a particular transaction is given. Signing the To header does not provide this kind of assurance. This is rather limited assurance is all that DKIM gives, and any description of the protocol should very careful to make clear that this interpretation is intended, not the first one above. Regards, -- Thomas Roessler, W3C <[EMAIL PROTECTED]> _______________________________________________ ietf-dkim mailing list http://dkim.org
