Earl Hood wrote:
In order to provide a better assement on the value of a DKIM domain
identity, it would help to know the role it played in the transmission
of a message. For example, an originating domain signature may have
a different weighting by recipients from a forwarding domain signature
when determining if the message is acceptable.
The main problem with roles or any other assertion that
cannot be independently verified is that they cannot
be trusted by the receiver. If there's some sort of
advantage to asserting a role which cannot be verified
independently, then attackers will exploit it.
About the only "role" I think we can acertain with any
certainty using the DNS hierachy as the trust root
is that a domain asserting an identity has a relationship
with one or more of the origination identities (or not).
This can be independently verified since there is a
relationship between the domain suffix of the 2822 address
under consideration and the corresponding DNS tree. Beyond
that, I don't know what verifiable roles DNS can provide.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org