On Sat, 2005-11-05 at 00:38 -0500, Hector Santos wrote:
And how do to a VERIFIER or SIGNER get this "exposed expressed desire?" How
does the VERIFIER and and possibly RESIGNER get this information?
The opportunistic scheme is rather simple, so I try fewer words.
As the MDA sees broad-bindings with matching domains, it compiles a list
of these matches. This list could be simply the domain-names.
this-bank.com
that-bank.com
pay-this.com
pay-that.com
this-store.com
that-store.com
Perhaps these names are stored in a zone or a database. It does not
matter.
When a message is received and there is a domain within the list that
matches a possible originating email-address domain, but the signing-
domain does not match, this should raise an alert on the message.
Instead of 'w=b' there could be an assertion of 'w=p' where such match
failures should be considered possible "phishing" attacks.
The difference is subtle. An email-address is never expected to
authorize the signing-domain or have a policy. The signing-domain
asserts the email-address relationship within the signature.
Your chart should not offer hostile treatment when email-addresses don't
match the signing-domain, unless they are on a list. When they are not
on the list, then the reputation of the signature would simply be
evaluated. In this case, the signing-domain and email-domain not
matching is fine. At least the signature provides a valid place to
complain, not the email-address.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org