On August 15, 2005 at 12:53, Michael Thomas wrote:
I think we'd do better to just not conflate both of these
things. There are signers that are willing to assert
"this passed through me, for whatever that's worth", and
"this passed through me, and I have a relationship with
one or more of the outside addresses visible". The first
is, essentially, a signed received header. The second
provides the originating domain a way to provide some amount
of comfort to the receiver that it's that domain sending
the mail rather than some random forger. They solve two
different problems, IMO, and a domain may well be willing
to provide the first, but not the second.
But DKIM does not really allow the first, in the general. In the
first case, the signer is attempting to verifying routing information,
but all DKIM signatures are bound to "originator address". Therefore,
if the SSP disallows third-party signing, then a domain cannot just
sign any message, unless it is the originating domain. Not all mail
delivery is point-to-point.
Multiple signatures are punted on in the DKIM draft, so that further
limits things.
If DKIM supported richer binding semantics that went beyond the
"originator address", then something like the first case is doable.
Of course, richer binding semantics does add complexity.
--ewh
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>