Doug,
If the hash validates to the signing domain and first sender, why is it
nescessary that the two domains be the same?
thanks,
Bill
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org on behalf of Douglas Otis
Sent: Thu 11/17/2005 6:43 PM
To: Stephen Farrell
Cc: IETF-DKIM
Subject: Re: [ietf-dkim] SSP security relies upon the visual domain appearance
On Nov 17, 2005, at 2:27 PM, Stephen Farrell wrote:
Doug - quick and simple question: does all of this depend
on there being >1 From address?
First-party policy mandates (the only mode restricting use and
somewhat protecting reputation) requires the _first_ email-address
correspond to the signing-domain. This single address may not
identify the author to the recipient, such as with a list-server. A
list-server may also be dealing with many different policies, where
exploding the message will likely include multiple From addresses as
a general precaution to ensure delivery.
The problem related to a correlation of the signing-domain with that
of the email-address represents a general loss of freedom, even when
there is only one From address used. The sender's ability to use a
preferred or recognized email-address has been lost without adding an
additional From. There are schemes in place to accrue reputation at
the email-address providing authorization, as a by-product of prior
mechanisms.
Reputation accrual at the email-address unfairly shifts
accountability onto the email-address domain owner obligating use of
a first-party mandate, especially where a list of authorized signers
is used. I doubt there is any reasonable method to publish out-of-
band authorizations without incurring such a side-effect. This would
be due to inherited legacy and a prevailing mindset that
authorization is authentication.
-Doug
PS. The SSP designation for this mode would be !.
_______________________________________________
ietf-dkim mailing list
http://dkim.org
_______________________________________________
ietf-dkim mailing list
http://dkim.org