On 11/14/2005 18:25, Douglas Otis wrote:
On Nov 14, 2005, at 2:04 PM, Jim Fenton wrote:
Barry,
DESCRIPTION OF WORKING GROUP:
The Internet mail protocols and infrastructure allow mail sent
from one
domain to purport to be from another. While there are sometimes
legitimate
reasons for doing this, it has become a source of general
confusion, as well
as a mechanism for fraud and for distribution of spam (when done
illegitimately, it's called "spoofing").
The parenthetical seems to be a bit misplaced, and might fit better
to the use of the word "legitimate". This might read more easily
if broken into two sentences.
Considering the potential for this statement to be in conflict with
existing practices, perhaps much of the otherwise difficult
justifications can be avoided by restating the intended goals of the
working group. For example, it should be perfectly legitimate for
the From to be signed by a different domain. Otherwise, the
resulting disruptions will likely prevent DKIM deployment. Even
adding just a Sender header has been problematic. How about:
----
Verifying a domain accountable for a message is a problem for users
of Internet mail when deciding whether to accept messages. DKIM
verifies a signing domain name that serves as a basis for trusting
the selected content and headers within a message. The DKIM working
group will produce standards-track specifications that permits
authentication of a domain name associated with the message using
public-key signatures and based upon domain name identifiers. This
specification will also verify that the selected content and headers
were not changed subsequent to the signature.
In special cases, the accountable domain may wish to assure the
recipient that all messages having an originating email-address
within this domain will be signed by the domain. This assurance is
to abate spoofing that has become common for some types of
transactional email. This assurance will be in conflict with current
practices where the purported author is not associated with the
signing-domain. To prevent undue conflict and disruption, the lack
of originating email-address assurances must be considered normal and
fully acceptable, and partial assurances should never be used.
----
I think that would be a step backwards from the current wording.
Scott K
_______________________________________________
ietf-dkim mailing list
http://dkim.org