On October 13, 2005 at 16:24, Jim Fenton wrote:
I've brought up the issue of signer roles, but it appears
to have been rejected or gained no traction.
An attacker can easily add headers to assert that they're a mailing list
(albeit one you haven't heard of), resender, etc. and sign them. I
don't think there is any way to prove what the signer role is.
There is no way to prove that a signing domain, and what it signs,
can be trusted (the reason trust systems must exist). So how is
specifying the role any different from what else is signed?
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org