On Wed, 08 Nov 2006 04:46:08 -0000, wayne <wayne(_at_)schlitt(_dot_)net> wrote:
In <60A9EDD76DBBFE48ABE4FE35324BBB8201B51798(_at_)dooku(_dot_)ironportsystems(_dot_)com>
"Patrick Peterson" <ppeterson(_at_)ironport(_dot_)com> writes:
- I sign all email AND have enough confidence in the reliability of
signatures AND the risk of allowing spoofed email is high enough that I
choose to accept the risk and therefore state that receivers should drop
unsigned/invalid signature email.
OK, as a receiver, can I blame the sender for any problems with
legitimate email being rejected due to DKIM failures? If a receiver
can't transfer the blame to the sender, why should the receiver treat
this any different than just being suspicious?
I think some site like a Bank, that is heavily phished, might go so far as
to declare
"I sign all mail. Please delete/reject/drop/whatever (perhaps even
silently)
all messages that fail to verify".
That site would have to be pretty confident that the genuine mail it sent
out was 100% clean, but it might well decide that it was a lesser risk to
have some genuine messages dropped than to let phishes go through.
BTW, are there any plams to have keywords for some of the various policies
that might be declared, so that verifiers (or rather their policy modules)
could recognize them and adjust their policy accordingly)?
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html