Barry Leiba wrote: > > That said, I'm inclined to agree with Mike T that input from the > reputation target is suspicious, so it's not clear how much value it > will have nor whether it might be gamed (by the reputation target) or > hacked (by someone wanting to hurt the target's reputation).
It shouldn't matter what t=y is or not, where the final result came from, technical or reputation. Unless there is a strong exclusive policy involved based on ADSP or some FUTURE REP-POLICY idea saying; ADSP: This mail must be signed. REP-POLICY: This mail must be a good reputation. The bad guy does not need to give any sort of signature or rep hints in the mail, and the mail is accepted anyway (or passes this test). At the very least, with ADSP we have the Author-Domain anchor always available to do policy test, but for reputation its dependency on a signer-domain, there is no technical possibility to get that information. So you need a signature (valid or not) for reputation in order for it to even work. Anyway, for t=y, verifiers SHOULD NOT treat testers any different from production mode signers. I think that is what is the intent now is for the current DKIM text, if not, it should be clarified. -- HLS _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html