On Jul 28, 2006, at 11:38 AM, Jim Fenton wrote:
Michael Thomas wrote:
John L wrote:
I still don't understand the scenario. Let's call the domain
isp.com.
Is it:
A) No mail has an isp.com From: address, but mail with other
From: addresses may have an isp.com signature.
Consider what I believe Y! does in their MUA: if it's got a valid
signature from isp.com with a From: foo(_at_)customer(_dot_)com, it doesn't
get a nice little message saying that Y! believe it came from
customer.com. Thus the outsourced mail will not be treated on a
par with mail signed on behalf of the domain.
But suppose example.com is not a customer of isp.com but yet a
message from example.com has a valid signature from isp.com. Are
you saying that Y! should say that it believes it came from
example.com, based on the assertion by isp.com that it only signs
third-party messages?
A better ISP could confirm the valid use of an email-address as a low
cost means of enhancing their services. This might involve noting
that the email-address has not been used previously be this user and
request that they confirm that they receive messages for this address
by clicking on a link, for example. With such an ISP, it would be
safe to list them as a designated signer and still avoid spoofing.
Maybe I have trimmed off too much context here, I thought we were
discussing the value of an "I only sign third-party messages". I'm
with John; I don't see how that provides any useful information to
the verifier.
I think that Bill poorly stated the desired policy. It should have
been from the perspective of the OA rather than the signer. This
should have been that there are no designated signers for the OA of
this domain. Whether this domains signs messages for other OAs would
be independent of this assertion.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html