> On 5/7/2010 10:07 AM, John R. Levine wrote: >> No, all it says is "we signed this mail." A signer with a good reputation >> will presumably rarely sign mail where the From: address actively >> misidentifies the sender, but that's a second order effect. > "misidentifies" covers quite a lot.
I used it to mean that the From: address doesn't have a reasonable connection to any of the persons or entities that composed the message, for some reasonable definition of reasonable. > If I send mail from bbiw.net (well, actually, sbh17.songbird.com is my > standard MSA) but label the From: field as being gmail.com, that's reasonable > to classify as "misidentifying" the From: address, since songbird has nothing > to do with gmail. No, that's not misidentification. It may be something else, but we need more precise terminology, preferably that avoids loaded terms like "forgery". > Operator-based signing is typically meaning that the message was posted by an > authorized user. There's absolutely no implication that the operator checked > or enforced the contents of the From: field. That entirely depends on what you know about the signer. Two of the largest signers, Google and Yahoo, mechanically check that the user receives mail at the From: address. One of the smallest, me, knows his users well enough to be confident that they won't do hostile address fakery even though I don't enforce anything mechanically beyond adding trace headers. I have other opinions about other signers. I'm realizing that a basic problem we have with explaining DKIM is that it makes semantic rather than operational assertions about messages. Since we are nerds, many of us deeply want to assign operational definitions, like "the people who know the passwords to the MTA that emitted this mail also know the passwords to the DNS server for the domain in the From: line", but they don't work, particularly for list mail in which the only operational definition of a good list is one where the recipients like what it sends. So here's a scenario. Let's say I run a political satire mailing list, to which members contribute wacky messages pretending to be from famous people like bi...@microsoft.com or sa...@elysee.fr. I use some technique not visible in the outgoing mail to ensure that the contributions are from list members (perhaps a password that's stripped out.) Of course the list puts a shiny new DKIM signature on all its mail. The list is triple opt-in with a cherry on top, and the subscribers await each list message all agog. Filter that. R's, John _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html