Damon wrote: >> But there is a residual problem. Suppose [EMAIL PROTECTED] is a >> subscriber to this list and someone spoofs a message from >> [EMAIL PROTECTED] to the list. ietf-dkim@mipassoc.org accepts the >> message and sends it to isp.com, their Authorized Signing Domain, and it >> is signed and sent. Is the signature from jdoe (the author) or >> ietf-dkim (the mailing list)? Without Authorized Signing Domains, you >> could tell by looking at the local-part of i=. But now you can't. I >> think this is an important distinction, even if it only applies in a >> subset of use cases. >> >> -Jim > > Should mailing lists sign messages? I believe they should. > If they did, wouldn't it be a 3rd party sig? Yes. > If we were able to say "No third party can sign for me" it would stop > the spoof. But the signature from the mailing list adds value (it says the message is really from the list), so many domains would not want to express that policy. What's needed is a way to unambiguously interpret the role of the signature (i.e., is it a signature representing the author or the mailing list) and the SSP delegation proposal has made that ambiguous in some cases.
-Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html