Earl Hood wrote:
On October 16, 2005 at 22:32, Jim Fenton wrote:
If there is an OA signature, there's one less degree of freedom and I
have a better assurance that the message actually came from the domain
of the From address. For other signatures, it doesn't really matter
what the role of the signer is: anyone can be a "mailing list" if they
want to.
This goes back to who does signing and when. It appears that the
original intent of DKIM was for signing by originating domains.
It then evolved to any domain that wants to claim responsibility.
The former has a known role while the others do not.
That wasn't the original intent of DKIM, because we had a lot of
experience with DK and IIM by that time. But sure, originating domain
signing is the more obvious place to start.
If additional roles will not, or cannot, be specified, I see no value
in signing unless you are the originating domain, where signer role
and semantics are better defined due to binding to originating
header fields.
There is little, to no, incentive for a domain to claim responsibility
for a message that does no originate from its domain if it cannot
specify the role it played in the transmission of the message.
A domain can certainly assert its role, by signing a header such as
Sender or Resent-From that has a relationship with the signer address.
The questions (for me) have been (1) Can the verifier rely on an
assertion of role by the signature [no, unless you know that the signer
is reliable], and (2) Must a signature assert a role in order to be a
valid signature [I would argue "no"].
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org