On Fri, 4 May 2007, Douglas Otis wrote:
No sender assurances exist to safely permit an inference that a specific
email-address is genuine when matched against the signing domain. That
is an opaque function of the signing domain.
If I get mail which was signed by example.com, the signature verifies, and
the From: contains an example.com address, on what grounds other than
arbitrary ones would I distrust the contents of the From: header?
Certainly someone could've hacked example.com's machines or found a way to
generate mail that they will sign, but that doesn't change what you can
infer from DKIM. If I'm willing to trust that their machines are safe, my
assertion is sound.
-MSK
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev