william(at)elan.net wrote:
On Thu, 26 Jan 2006, Mark Delany wrote:
Right. So the question is, can a signature be constructed such that it
doesn't interact with SSP to infer a binding above and beyond "I claim
it passed through me"?
Make 'i' optional.
'i' is optional, but takes the value @d if it is missing.
My preference however is to have field in signature that specifies
what type of email parameter the signature is associated with (i.e.
see 'id' segment of metasignatures).
If we know this, presumably one could tell, for example, whether a
signature came from a mailing list. But it's the signer's assertion
what their role is: one might imagine setting up a rule, "I'll accept
any messages re-signed by mailing lists." So the Bad Actors will just
start adding a few more headers, and all of a sudden you're getting lots
of mail from the unbelievable-deals(_at_)example(_dot_)com mailing list, with
messages from "people" talking about what great deals they got.
Since there's no way to know what the role of the signer really is, it's
not a useful piece of information. What is useful is who the signer is,
and then the verifier or recipient might recognize it: Oh, it's signed
by mipassoc.org, which gives the responsible address as
ietf-dkim-bounces(_at_)mipassoc(_dot_)org(_dot_) I know that's a mailing list.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org