Dave Crocker wrote:
Mechanisms like OpenPGP and S/MIME essentially validate the
authenticity of content. DKIM does not. For example, a DKIM
signature does not contain the semantics that claim that the From
field is correct, nevermind that it does not distinguish between
"brands" such as are often implied by the display string in the From
field, versus the email address in it.
Rather, DKIM's task is to allow an organization to say this it has
some responsibility for the message; that is, come to them if there is
a problem.
In looking at the range of features that have been added to SSP, I
keep thinking that this distinction is not clear. It seems to me that
there is tendency to want to build "the content is valid" mechanisms
into SSP.
Thoughts?
What is relevant to SSP is whether the signer is asserting that the
From: header field is authentic. Or more specifically, whether the
signer is making that assertion in the specific case when the address in
the From: header field is the same as the signing address. SSP has no
other dependency on whether the signer is asserting validity or is
"merely" taking responsibility.
Part of me wants to say this it's vaguely silly for a signer to take
responsibility for a message that purports to come from themselves, but
which they didn't send. But I suppose RFC 4871 doesn't explicitly call
this out.
If there is consensus that this indeed isn't clear, we could easily add
verbiage to SSP stating that domains publishing SSP records other than
"unknown" MUST additionally ensure that they only sign messages
purporting to come from themselves when the address in the From: header
field is valid. That way, we're putting the additional burden on those
who publish SSP records but are not trying to modify the meaning of RFC
4871 at all.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html