On May 29, 2006, at 10:10 AM, John L wrote:
For example, all of this concern about having the signing identity
and rfc2822.From identity be different mostly asserts that there
is a problem, without explaining its nature very clearly or
substantiating the validity of the problem.
I basically agree. As you have noted, people seem to think that it
means something if the signing domain and From: domain are the
same. I was hoping I could tease out what that meaning is supposed
to be.
I think it is an attempt to integrate the current world with some
authentication provided by the DKIM signature. Current systems such
as mailing lists rely on the From identity. If a trusted ISP were to
sign the message saying that the From address is valid for the user
that authenticated with the ISP then the mailing list would be able
to trust the From address. This has the obvious problems of how does
the mailing list assign trust to the ISP and how does the ISP learn
all of the valid addresses of it's users.
For a mailing list, the real solution is direct user authentication
and to disregard the ISP or other delivery agent. The users signature
says only that the sender is the same entity that was confirmed
during the subscription process. The list would associate the From
address with that entity and no other entity would be allowed to use
that From address through that list.
For the interim, a user could subscribe to a list through an ISP that
adds DKIM signatures. Instead of the mailing list needing to
determine the trust of the ISP it is the user that assigns trust to
the ISP that carries his messages. Only a forgery that used the same
ISP would then be accepted by the list. It would be up to the user to
then sort the problem out with the ISP.
It may help to preemptively address the forgery issue if the ISP were
to insure that the From address were valid before signing the
message. But this is an issue between the ISP and the user. If an ISP
is going to allow forged addresses why would their signature
verifying the address make any difference?
-- Dan Oetting
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg