ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Not exactly not a threat analysis

2005-08-16 21:13:17
On August 16, 2005 at 19:05, Michael Thomas wrote:

Why is it important to know who the recipients were?

As been noted before, it can help deal with replay problems and
provide a trail if a message is re-introduced into the mail
system.

IIRC DKIM can't sign envelope fields, and it doesn't clearly
distinguish between author and sender roles.

If it were important, it could easily be added. I don't
understand why it's important. And I don't understand
what is gained by separating roles.

Author and sender can be two different entities.  And if case
of re-introduction, sender vs author is even more significant.

b. Message was authored by A, signed by A, but initially submitted to
some other address and later forwarded to your mother.  Show the From
field but also show a highlighted alert that says "this message was not
sent to you by the author of the message, but was forwarded to you by
<address>".

Probably ok, I believe that some MUA's do this now more
or less with Sender (albeit without any assurance).

What about the Resent-* fields?  Not sure how well MUAs display them.
Not sure of how many MUAs support "resending" of a message versus
forwarding.

c. Message was authored by A but signed by someone else.  Show the From
field but also show a highlighted alert that says "This message claims
to be written by A but was signed by B".

You just lost My Mother, I think. Well, at least you lost
me because I have no idea how I ought to behave in its
presense.

This is exactly what DKIM does.  A message was authored by A and
the domain, B, is the signer.  Therefore, are you saying you do
not know how to deal with DKIM signed messages?

And again, I certainly don't expect users to sort out this stuff by
looking at message headers.  (they couldn't verify the signatures by
looking at them anyway).  So yes, cutsey icons and simple text
displayed above the message on a colored background is very much what I
have in mind.

The point I was trying to make is that new identites, etc, confuse
users.

I do not think you can state that as fact.  Much depends on how
the information is displayed to recipients.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org