On Sat, 2005-11-05 at 00:38 -0500, Hector Santos wrote: > And how do to a VERIFIER or SIGNER get this "exposed expressed desire?" How > does the VERIFIER and and possibly RESIGNER get this information?
The opportunistic scheme is rather simple, so I try fewer words. As the MDA sees broad-bindings with matching domains, it compiles a list of these matches. This list could be simply the domain-names. this-bank.com that-bank.com pay-this.com pay-that.com this-store.com that-store.com Perhaps these names are stored in a zone or a database. It does not matter. When a message is received and there is a domain within the list that matches a possible originating email-address domain, but the signing- domain does not match, this should raise an alert on the message. Instead of 'w=b' there could be an assertion of 'w=p' where such match failures should be considered possible "phishing" attacks. The difference is subtle. An email-address is never expected to authorize the signing-domain or have a policy. The signing-domain asserts the email-address relationship within the signature. Your chart should not offer hostile treatment when email-addresses don't match the signing-domain, unless they are on a list. When they are not on the list, then the reputation of the signature would simply be evaluated. In this case, the signing-domain and email-domain not matching is fine. At least the signature provides a valid place to complain, not the email-address. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org