John R Levine wrote:
I concur with Tony's model that a signature only means "I will accept
the blame for this message".
I don't think that flies, or at least, I think that makes DKIM of fairly
marginal value. A message itself is rarely blameworthy; what matters is
the context.
Right. The context is who signed it.
That's not sufficient unless signers who (re)transmit messages are
clearly distinguishable from signers who author content. That would be
a workable solution, though I don't think it's desirable to overload
addresses in this way.
Other than you, I see no interest at all in Lumos-style schemes to express
complex semantics of signatures.
You're the one who keeps trying to label a small (maybe one-bit) tag,
along with the ability to sign envelope addresses, as "complex semantics".
For that matter, you're the only one who keeps trying to obfuscate my
proposal by associating it with someone else's idea that was dissed in
the mass exercise in confusion that was ASRG.
So if DKIM is going to be at all useful, it has to distinguish between
an author signing the content and a (re)sender signing "yes, I (re)sent
the message to this set of recipients".
You keep saying this, but it doesn't follow from your other arguments, and
it's just plain not true. A signature that lets me tie a message to a
domain is plenty useful with no other semantics attached.
Sorry, no. It doesn't mean much of anything except to say that the
signer saw the message. That's not useful to counter any threat that I
am aware of.
I'm planning to look up the signing domain in whatever passes for a
reputation system, and if it says good, I'll accept it, if it says
bad, I'll reject it, and if it says nothing, I'll send the message
through the filtering gauntlet I use now.
And what problem does this solve? Why does the fact that mail has
passed through your MTA confer some sort of legitimacy on it, no matter
what the content or the context?
Because domains are run by people, some of whom do a much better job of
managing their mail than others.
That's a bit like saying that drivers in some states are better than
drivers in other states, so states should discourage bad drivers by
blocking off their borders with states with bad driving reputations.
Keith
_______________________________________________
ietf-dkim mailing list
http://dkim.org