John Levine wrote:
There is nothing in an ordinary email message, except for the IP
address of the host that sent it to you, that is a reliable
identifier. A validated DKIM signature adds a level of
authentication by identifying the domain responsible for the message.
It might be better to say
... by identifying a domain that takes responsibility for the message.
We don't promise that's the only domain that might have something to
do with it, we do promise that's the place to complain to if you
don't like it.
I'm sort of uncomfortable saying this in any formal way,
or as a formal goal. We're clearly not providing a complaint
desk transport protocol, nor do I get the impression that
anybody's even thinking down those lines. It also toes the
line with non-repudiation too, which I really don't think
we want to get ensnared in. Which isn't to say that DKIM
won't provide better forensics -- I think it will -- but
as it's main or even a secondary goal, I think it implies
that we'd need to deliver a lot more thought, guidance
and/or protocols than I think we're prepared to do.
Mike
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>