On Wed, May 31, 2006 at 06:26:25PM -0600, Dan Oetting wrote
For the interim, a user could subscribe to a list through an ISP
that adds DKIM signatures. Instead of the mailing list needing to
determine the trust of the ISP it is the user that assigns trust
to the ISP that carries his messages. Only a forgery that used the
same ISP would then be accepted by the list. It would be up to the
user to then sort the problem out with the ISP.
It may help to preemptively address the forgery issue if the ISP
were to insure that the From address were valid before signing the
message. But this is an issue between the ISP and the user. If an
ISP is going to allow forged addresses why would their signature
verifying the address make any difference?
Real-life question...
1) How does any ISP (beyond a really small geek outfit) verify that I
am authorized to use *(_at_)waltdnes(_dot_)org ?
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg