ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Not exactly not a threat analysis

2005-08-16 21:24:48
On August 16, 2005 at 19:23, Michael Thomas wrote:

If a signer wants to include an existing signature
field, signature fields should have a clear identification capability
so a verifier can easily determine each field when multiple exist.

Huh? All you'd need to do is add the DKIM-Signature to the h=
list just like any other header.

Which header do I use for verification if multiple DKIM-Signature
fields are presents?  Do I assume that it is the next one below
me, hoping no re-ordering has been done?

Not if it is spam.  Spam may have changed how people interpret From.
The only time From is relied upon is if the receipient sees that the
content of the message is matches with what they expect from From.

As well they should... which is rather the problem at hand, no?

You are making assertions that all mail users know is the From and it
indicates who "authored" the message.  I'm making the point that the
 From is not a strong indication of authorship, and many mail users
realize this, and must do more to determine who the real author may
be (which typically means checking the Subject and message content).
It seems mail users would like to see additional indicators beyond
 From to provide who created and was involved in the transmission of
the message to avoid reading the message contents (and the potential
dangers of doing so).

Side comment: It is worth noting that more younger people are moving
to instant message style services for communication over email (email
is considered to be for "older" people).  Email should not become a
poor man's IM.  It has certain semantics (that many do not utilize,
but others do) that are important.

As if all of these problems won't resurface with SPIM and SPIT.
It's rather important, IMO, to get an existence proof that
_anything_ identity-wise works for the non-walled garden.

I was making the point of the role of email in the realm of
communication protocols.  Email should not be dumbed down to be a
poor version of IM.  There are (business) interests that want to see
email as a real replacement for physical mail, including the important
(reliable) services that physical mail provides that email cannot
do currently.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org