But there is a residual problem. Suppose [EMAIL PROTECTED] is a
subscriber to this list and someone spoofs a message from
[EMAIL PROTECTED] to the list. ietf-dkim@mipassoc.org accepts the
message and sends it to isp.com, their Authorized Signing Domain, and it
is signed and sent. Is the signature from jdoe (the author) or
ietf-dkim (the mailing list)? Without Authorized Signing Domains, you
could tell by looking at the local-part of i=. But now you can't. I
think this is an important distinction, even if it only applies in a
subset of use cases.
-Jim
Should mailing lists sign messages?
If they did, wouldn't it be a 3rd party sig?
If we were able to say "No third party can sign for me" it would stop the spoof.
Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
