Stephen Farrell wrote:
Michael Thomas wrote:
Stephen Farrell wrote:
What people do consider necessary is a policy tag on a key record that
specifies something like 'this key can only sign email from
marketing(_at_)example(_dot_)com so that the bulk mailer hired to do a promo
can't
then impersonate the CEO.
Its still tricky though since it allows me to make bogus assertions.
However, I do understand the application requirement, but do we have
to meet that via creating key/(dis)allowed-domain bindings in a
dkim protocol? Perhaps we do, but then the threat analysis has to
go into a good bit of detail here since that assertion structure
will be used as the basis of attacks.
Huh?
What's not clear?
Well, none of it really. What attack are you speaking of? How do you make
bogus assertions?
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org