On Thu, 23 Oct 2008 01:52:56 +0100, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
S/MIME and OpenPGP provide a means to authenticate an email-address.
At this time, due to the Author-Signature definition, DKIM-ADSP does
not. DKIM without ADSP could offer an assurance that an email-address
was authenticated, since the signature is free to indicate what the
signing domain actually authenticates. What the signing domain
authenticates often differs from that of an email-address contained
within the From or Sender header field. The authentication-header
draft overstates to a dangerous degree what these mechanisms
accomplish by using the term authentication. Fixing the ADSP Author-
Signature definition would help eliminate the assumption of
"authenticated" with respect to DKIM-ADSP.
Indeed so. However, it is perfectly possible to construct a DKIM signature
that does _not_ include the From header. It would violate a MUST in the
definition of DKIM, but you cannot stop signers from doing it or verifiers
from accepting it if they are so constructed. I suspect that intermediate
signers are just going to do this, RFC or no RFC.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html