On Sep 12, 2006, at 10:30 AM, Wietse Venema wrote:
I get mail that pretends to be from my bank. The SSP says the mail
is 100% pure non-forged. However, the DKIM-BASE signing domain is
not in my list of trusted signing domains. I get a warning that
this mail could be sent by a party that I have no relationip with.
This may be a revolutionary concept to some, but a widely used
application called ssh has been using such tricks for 10 years. Its
approach to opportunistic authentication is not perfect for
purists, but it works for real people.
Having gone in circles twice, I think this is a good time to step
out of this thread.
I am in complete agreement with your statement. Rather that offering
a warning, not offering a positive annotation akin to the browser
lock-icon should also work.
While the capturing of the DKIM signing-domain with that of the email-
address would work, this could be made more reliable by adopting
conventions for conveying when the signing domain has assured the
email-address in some fashion. In addition, policy could also help
reduce risks associated with the capturing efforts by confirming
email-address/signing-domain associations. With policy, it might
also be possible to only capture the email-address itself, where
policy makes the signing-domain association.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
