Verifying an accountable domain will not prevent a
mailbox-address from being forged (falsified).
We can change the draft charter language to make this clearer. Instead of
"Forgery of headers that indicate message origin..." it could be (IMO)
"Forgery of the domain found in an RFC2822.From header..."
Asserting that the From mailbox-domain must
be signed by the same domain, or even a sub-domain,
may reduce possible sources of forgery, but it does
_not_ prevent forgery, such as the falsification of the
local-part.
Agreed. So we'll shy away from grand claims concerning the total
elimination of domain forgery (no such claim is made anywhere anyway that
I've seen). Now, since total elimination of forgery is not a realistic
goal, I'll happily take a *reduction* in forgery any day and so will any
responsible domain owner. Can you agree with that statement?
If the domain is large and depends upon the network
address to authenticate users, then claims that DKIM
prevents forgery would be irresponsible, even when the
From mailbox-domain is restricted to being signed by
the same domain.
I totally do not understand that. What do you mean "network address to
authenticate users"? Is this the IP you're talking about? How does that
bear on whether a domain's signing policy can prevent unauthorized use in
the RFC2822.From or not?
Considering anti-forgery or anti-phishing out of scope
for DKIM would increase a focus upon what DKIM
is actually providing.
Anti-phishing, ok, because we'll all just rathole on that topic.
Anti-forgery, no, absolutely not. If both these are out of scope, what then
is the real-world problem DKIM is trying to address? Is it that we don't
have enough inputs into our filtering engines today and we just MUST have a
signature based one? Or is it that email users are routinely seeing
unauthorized domain use in the RFC2822.From? Everything I've seen leads me
to believe the problem is the second thing. For example, "Forgery of
headers that indicate message origin is a problem for users of Internet
email." - this is the *first sentence* of the proposed charter. Also:
"DomainKeys Identified Mail (DKIM) defines a simple, low cost, and
effective mechanism by which cryptographic signatures can be applied to
email messages, to demonstrate that the sender of the message was authorized
to use a given email address." This language definitely needs tweaking but
the thrust of the statement is clear - unauthorized use (read: forgery) is
what DKIM is trying to address. Are we not in agreement as a group on this
point?
--
Arvel
_______________________________________________
ietf-dkim mailing list
http://dkim.org