-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The thing I find most disturbing is that I perceive an effort to turn
DKIM into a user-level signing system. This is not the intent of DKIM.
DKIM has never outright forbidden this -- heck, what consenting
senders do in the privacy of their own domain is their business. But
DKIM is carefully constructed so that the signature tracks back to
the domain and only the domain for privacy reasons. We didn't want it
to be a big brother identification and tracking system. Changing that
is not only a change counter to the intent of DKIM, but it is wicked
and evil. It contributes to the creeping surveillance we're all
subject to.
(Side note: I am well aware that email as it exists bleeds lots of
tracking information and that the number of times that unsigned
content has ever been challenged can be counted on one hand, if not
one finger. If you can't figure out what countries I've been in in
the last couple of weeks, your header-reading-fu needs a serious
remedial lesson. That's beside the point, however. We didn't want
DKIM to make the situation worse.)
There are a number of places that this is happening. One of which is
the continued suggestion that i= means something, or worse *must* (I
don't know if the "musts" I have seen are MUSTs) track back to the
user. Stop that, please.
The i= tag is a note from the signer to the signer. It can be
anything the signer desires, and the verifier interprets it at his
own peril. It is a Humpty-Dumpty thing, it means whatever the signer
wants it to mean.
In general, signers *will* put something that is essentially tracking
information in i=. I accept that. In general, if
"i=foobar(_at_)example(_dot_)com" is in a DKIM signature, there are things a
clever receiver can deduce from that. Fair enough.
Nonetheless, to step past that and assert that there must be user-
level tracking in DKIM whatever the mechanism, or even that user-
level tracking should be part of best practices is stepping too far.
Spam fighting is not so important that we should erode privacy
further than it is already eroded. It is not so important that we
should infringe upon the sovereignty of a domain and impede its
ability to protect its users.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFHTfynsTedWZOD3gYRAisNAJ9FRoVTixctCpD9G/E1WJjKBYDGHACg9XrV
SA5w7B7Qg6n+akuPfMRICcA=
=wD2M
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html