Jim Fenton wrote:
Douglas Otis wrote:
This seems like a minor change for the better. What weakness can't be
fixed by the proper procedures followed by a signing domain?
The one I described: the inability for a verifier to distinguish an
author signature generated by the delegate from a third-party signature
generated by the delegate operating in a different context.
What would be useful is for people who are neutral about this issue to
look at the attack vector Jim describes. It sure seems real to me, but some
independent verification would be helpful as well. In particular what would
be nice is to place requirement constraints on the protocol such that this
attack must be able to be mitigated by the delegated third party. If that's
possible at all.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html