Douglas Otis wrote:
Not all messages signed by a domain are:
- trustworthy.
- offer valid email-addresses.
These facts poses a basic problem when attempting to convey trust
related information to a recipient by way of annotation. How else is
DKIM to be used?
Well, MAYBE TO PREVENT SPAM!!!! Gaaah!
But I just really really don't get what you're getting at. DKIM is
(or should be!) essentially a transport layer solution, and you're
talking application layer.
So some particular application wants some mechanism whereby it
distributes levels of trust in it's email. Why wouldn't they
just add a header line to their mail that says "this mail is
extra-double-secret trusted", and then sign that line along with
everything else?
Most institutions are not willing to vouch for the integrity of all
signed messages. Once signed, a message can be replayed, thereby
amplifying concerns of their integrity. An ability for the domain to
vouch for only specific email-addresses offers substantial protections
for both the domain and the recipient.
WHAT!?!?!! WHAT!!?!?? Why would a domain sign a message if it wasn't
vouching for that message!!?"!?!??
Messages can be "replayed"? How does per-user signatures help stop
that? DKIM doesn't make assurances about the intended recipient,
only about the sender.
This selectivity can be achieved without email-address selective
policies. However, isolation by email-address likely conforms to most
domain's expectations and present practices.
Please please please give an actual real-world examle of what your
talking about, because everything I read from you sounds like
mumbo jumbo. Just one little real live situation. That's all.
Come up with that, and at least maybe I'll finally understand what
you're talking about.
tom
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html