Fully disagree. The verifier can use whatever means it has, including
using heuristics, to see if the message is actually sent by the
purported sender.
Again, we need to distinguish between the mechanics of verifying a
signature, versus the policies that might be used to process a message.
Hence, a receiver plays two different roles. In one role, they are
validating a digital signature. In the second they are attempting to
decide what to do with a message they have received.
A specification for doing signature validation should not use
heuristics. It needs to have simple, mechanical, universal procedures
that produce a binary valid/invalid result and produce those same
results anywhere the validation is attempted.
A specification for processing a message well might suggest use of
heuristics and well might produce very different results, depending upon
where the processing is performed.
Anything that confuses these two, very different types of activity makes
it more likely that the entire DKIM effort has fuzzy meaning, and
therefore fuzzy benefit, and therefore is questionable to adopt.
d/
--
Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html