On July 29, 2005 at 13:45, Michael Thomas wrote:
I'm not seeing how this prevents a malicious domain from spoofing
the OP identity if the OP has third-party signatures enabled?
If you can provide a more detailed example, I would appreciate it.
Note that this mainly a question of what the receiver does once it's
validated
a signature (eg, the RSA check succeeds). At that point, the receiver
can try
to see if the signature binds to an outside address -- like say the From
address.
The problem is that DKIM does not define any robust binding capabilities
of the signer. Since the i= tag does not have to equal From, how
does the verifier know exactly what the signature is bound to?
--ewh