ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Delegating responsibility: a make vs. buy design decision

2006-08-18 12:37:42
Wietse Venema wrote:

I think it is a mistake to attach significance to the author-domain
(rfc822.from) unless there is a reason to trust the signing-domain
for this purpose (for example, scenarios 1a or 1b above).
Trust is probably the wrong concept here. If a domain advertises A records
in its DNS, I have some basis for belief that that is what they intend. It doesn't say that I "trust" them per se (ie, I have no idea a priori whether they point
to something malicious or not). The same goes for SSP: if the From domain
says that it should have a valid signature, I may not trust the site, but I at least have some belief that the name being asserted is intended if it verifies. (vs.
forged.) That's useful information regardless of whether I know much about
the site. Take, for example, all of these small regional banks being phished now...

      Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>