This means that it is providing an assurance that the message
contents, including originating address fields, are authorised.
If the signing party is unwilling or unable to provide this
assurance, then they should not apply a signature.
That would be wonderful but the problem is that we can't count on the
signing party playing along with that restriction. Bad actors will be happy
to sign using THEIR domain while placing paypal or ebay (or YOUR domain) in
the FROM. We will have gained little other than the eventual knowledge that
signatures from the bad actor's domain are disreputable. That's good, it's
something we haven't had before (via signature mechanisms anyway) but what's
required by verifiers is specific action when the signature does not match
the FROM.
Aren't we attempting to address forgery of domains in the originator header?
That's the first sentence of the proposed charter. We needn't confound this
goal in my opinion with the smoke-screens of solving "phishing", "spam
prevention", or, God forbid, the spectre of "figuring out who sent the
message".
--
Arvel
_______________________________________________
ietf-dkim mailing list
<http://dkim.org>