On August 18, 2005 at 09:33, SM wrote:
because it makes things simpler for mailing lists (why check SSP at
every step?) and because it puts the decision in the hands of the
recipient's verifier because it's really the recipient we're serving.
Whatever we put in the SSP, it comes down to the receiver's end
making the final decision. DKIM cannot stop people from "using our domain".
It is a problem if a receiving verifier does not play by the rules,
but most systems have this problem. Receivers that rely on another
party to validate the messages (e.g. their mailbox provider), have
to have trust that the provider is doing things right.
As for the receiver making the final decision, all receiver
implementation should generate the same result on the same message
(at the DKIM level). There should not be room for ambiguity and
variability, this can lead to exploitation.
Also, if the sender/signer can reliably perdict what a verifier will do
(at the DKIM level), there is little use in signing messages.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org