Douglas Otis wrote:
...
What is the goal attempted by the DKIM? As you have indicated, DKIM
does not protect against forgery of From headers prior to signing. The
old expression, garbage in garbage out would seem to apply. If there
is any protection, this would be prior to DKIM. The level of
protection in this regard would be related to trusting prior
validations made by the signing domain and would be unrelated to DKIM.
I would expect a normal application of DKIM would be simply signing
outbound messages without performing any checks with respect to the
related privileges associated with a specific mailbox domain. This
would reflect current common practices.
I believe that this is an important point. For servers dedicated to a
single administrative entity, this is probably not a major issue, but
for shared servers, there is a risk here.
How DKIM should be done on shared servers is probably worthy of some
dedicated thought and discussion. It will likely have impacts at the
standards level as well as in implementation and operational details.
...
Suggesting that DKIM prevents forgery would be misleading. DKIM
provides an accountable domain. SSP provides mailbox-domain
authorizations which may limit possible sources of abuse. Describe the
goal or the intent of the mechanism without over-stating or
misconstruing its purpose. I think the rather nebulous descriptions in
the current charter does not adequately describe the intended goals.
Considering DKIM and SSP as separate efforts seems well justified.
There should be commensurate goals expressed separately for each effort.
Would it be fair to characterize your position that DKIM (base and SSP)
has some potential utility for describing some messages as NOT
authorized by the mailbox domain, but that it's ability to give a
positive assurance of authorization is limited?
Scott Kitterman
_______________________________________________
ietf-dkim mailing list
http://dkim.org