On Wed, 2006-09-06 at 21:42 -0400, Wietse Venema wrote: > With only a small number of email addresses in a domain, the existing > mechanism is plenty sufficient.
It does not matter whether there are hundreds or millions of email-addresses within a domain. A mechanism offering unique policy for a select email-address offers essential protection when only the domain is trusted. This selective mechanism would likely apply to only a few of the email-addresses. > Simply use an appropriate selector field in the DKIM signature. This > problem can easily be solved without introducing complexity in the > form of per-user mechanisms. Currently there is no DKIM convention to assist in identifying which messages should receive automated assurance-related annotations based solely upon the domain. Do not assume: a) Recipients recognize look-alike and cousin domains. b) Email-address validity is not important. c) Messages signed by a trusted domain are trustworthy. d) DKIM selectors or signing domains indicate: i) An email-address is valid. ii) A message is trustworthy. e) All messages from bad actors have been blocked. > As far as I can tell, we're talking about a solution for which a > convincing problem has yet to be found. Not all messages signed by a domain are: - trustworthy. - offer valid email-addresses. These facts poses a basic problem when attempting to convey trust related information to a recipient by way of annotation. How else is DKIM to be used? Most institutions are not willing to vouch for the integrity of all signed messages. Once signed, a message can be replayed, thereby amplifying concerns of their integrity. An ability for the domain to vouch for only specific email-addresses offers substantial protections for both the domain and the recipient. This selectivity can be achieved without email-address selective policies. However, isolation by email-address likely conforms to most domain's expectations and present practices. One a recipient places an email-address into their address book, only validity semantics are required at that point. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
