Scott Kitterman wrote:
On Thursday 27 July 2006 14:00, Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
My requirements
I sign all
I sign nothing
I sign only 3rd party
I sign all and 3rd party
I sign some mail
My Policy/Practice
I sign all - every piece of mail purported to be from me must be signed
Must be signed by you are must be signed by anybody. If the latter, it's
trivially spoofable unless you have a list of others that are authorized to
sign.
Sure; third-party signatures will have a bigger dependence on
reputation/accreditation/whitelists/etc. than originator signatures.
Using cisco.com as an example, how would we create a list of others that
are authorized to sign? We have people using mailing lists, "mail this
article to a friend", and similar services all over the place. There's
no way that we could catalog a complete list. However, we might want to
white list a bunch of likely-reliable signing domains (e.g., ietf.org,
mipassoc.org and maybe nytimes.com) and treat these messages with less
scrutiny.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html