Steve Atkins wrote:
On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:
Hm.. I'm not much into DKIM. It technically allows to sign false
identities, but doesn't (or shouldn't) it semantically imply that the
signers must have some (possibly small but still positive) degree of
trust that what they sign is correct?
No. The signature only means that the message you received was the one
signed by the signing identity.
Thanks for the clarification.
Any mail system that only allows mail to be sent one at a time, and
requires that the mail be hand-typed (rather than stored in a signature
or pasted in) and which charges for the service via a credit card is
going to be a negligible source of abusive email.
KioskCo is definitely going to want to sign the outbound mail with their
identity, as that identity is unlikely to get a bad reputation and will
likely get a good reputation over time.
Wouldn't then make more sense to just sign, say, the date and the
message-ID?
Besides malicious abuses, typos are also a possible source of
confusion for end users. Considering that perhaps one day it will be
possible to read the correct email address from the payment card, if I
were KioskCo, I would avoid to sign From headers I don't trust, unless
specifically required by DKIM or related BCPs.
[N.B. "KioskCo" in this thread is understood as an example name, not
related to possibly existing companies bearing the same name.]
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg