On Oct 1, 2007, at 8:37 AM, Michael Thomas wrote:
Charles Lindsey wrote:
The only real solution to this problem is for B to add an
Authentication-Results header (see the Mail-Vet-Discuss mailing
list), and to incluide that header in is own signature. Maybe that
is veering off topic for this list, but at least there should be a
pointer to that sort of possibility.
This doesn't work in the abstract because Auth-res isn't
necessarily trustable across domains, and in fact I often don't
trust who produced it even if it could be authenticated.
With the tpa-ssp extension for ssp, it is possible for an email
domain to indicate which DKIM domains are authorized. This scheme
scales to any number of authorizations without inducing a large
number DNS transactions.
http://www1.tools.ietf.org/wg/dkim/draft-otis-dkim-tpa-ssp-01.txt
This extension is also able to specify which originating headers are
permitted. The authorization list is intended to ensure hashed
domain name collision is not possible.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html