On Thu, 2006-09-07 at 08:24 -0700, Michael Thomas wrote: > That may be a use (though pretty unlikely to me), but the use case > that I've heard of is more aimed at securing things like > [EMAIL PROTECTED] without having to say "I sign everything" for > the entire domain which is assumedly a lot harder. The thing about > this is that you can alternately set up a record for > [EMAIL PROTECTED] or some such which would work the same > way.
The account the recipients expect to see is <[EMAIL PROTECTED]>. When this message is signed by "d=accounts.bigbank.com", then this prevents semantics that would allow the email-address <[EMAIL PROTECTED]> to be assured as being valid. This misses the goal of offering a high level of assurance. In fact, this will likely reduce the level of assurance annotations. : ( When the recipients start seeing the email-address <[EMAIL PROTECTED]>. then they become more prone to cousin and look-alike attacks, such as <[EMAIL PROTECTED]>. Using this technique at the signing domain reduces assurances the email-address is valid. Using this technique at the email-address increase exposure to look-alike attacks. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
