On Dec 1, 2006, at 7:52 AM, Wietse Venema wrote:
Charles Lindsey:
If you have a signature, then all I am suggesting is that you
first look at the SSP of a signer to see if that provides a
satisfactory explanation.
The bad guys can use SSP too. They will be more than happy to
provide you with every possible satisfactory explanation that
you're willing to believe.
Agreed. A DKIM related policy should be referenced from various
email-originating-elements. These polices might then associate
various these email-originating-elements with the signing-domain. It
is rather nonsensical to reference signing-domains to inquire about
who should be signing.
For sure, you now know where the mail DID come from.
Nothing that DKIM-BASE didn't already tell you. In my opinion,
making decisions based on the signer's SSP instead of or before the
2822.From SSP is the worst possible application of this
technology. It's like allowing the idiots to run the asylum.
Policies should be available for any email-originating-element and
not just 2822.From headers. In addition, attempting to accommodate
non-DKIM aware MUAs by appending information at the end of the
message (when allowed by the signer), is also prone to abuse. There
should be no claims made regarding DKIM's ability to prevent
spoofing, even when proposing strict enforcement of authorization
policies that is based upon the recipient's visual perceptions.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
