Dave Crocker wrote:
This is useful, but seems to ignore the discussion that has been surrounding
the fact the signature does not provide assurance about the source
yeah. maybe i should have tried for different language, but folks seem more
comfortable with that term and i wanted to see whether we could get basic
agreement on any sort of summary description.
- rather
it provides assurance that a specified signing party is vouching for the
message. The signing party may be associated with the source, or they may
not be. Accepting the message on the basis of the signature implies
accepting the relationship between the signing agent and the message
originator.
I like your last sentence, although the signer does not have to necessarily be
associated with the originator, since the message can be signed anywhere along
the path.
I think we'd do better to just not conflate both of these
things. There are signers that are willing to assert
"this passed through me, for whatever that's worth", and
"this passed through me, and I have a relationship with
one or more of the outside addresses visible". The first
is, essentially, a signed received header. The second
provides the originating domain a way to provide some amount
of comfort to the receiver that it's that domain sending
the mail rather than some random forger. They solve two
different problems, IMO, and a domain may well be willing
to provide the first, but not the second.
Mike
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>