Wietse Venema wrote:
I think it is a mistake to attach significance to the author-domain
(rfc822.from) unless there is a reason to trust the signing-domain
for this purpose (for example, scenarios 1a or 1b above).
Trust is probably the wrong concept here. If a domain advertises A records
in its DNS, I have some basis for belief that that is what they intend.
It doesn't
say that I "trust" them per se (ie, I have no idea a priori whether they
point
to something malicious or not). The same goes for SSP: if the From domain
says that it should have a valid signature, I may not trust the site,
but I at least
have some belief that the name being asserted is intended if it
verifies. (vs.
forged.) That's useful information regardless of whether I know much about
the site. Take, for example, all of these small regional banks being
phished now...
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html