Michael Thomas wrote:
Stephen Farrell wrote:
What people do consider necessary is a policy tag on a key record that
specifies something like 'this key can only sign email from
marketing(_at_)example(_dot_)com so that the bulk mailer hired to do a promo
can't
then impersonate the CEO.
Its still tricky though since it allows me to make bogus assertions.
However, I do understand the application requirement, but do we have
to meet that via creating key/(dis)allowed-domain bindings in a
dkim protocol? Perhaps we do, but then the threat analysis has to
go into a good bit of detail here since that assertion structure
will be used as the basis of attacks.
Huh?
What's not clear?
Stephen.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org