Any way to tell someone its signature is used in third party signing?
----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
To: "Franck Martin" <franck(_at_)genius(_dot_)com>
Cc: ietf-dkim(_at_)mipassoc(_dot_)org, "Hector Santos"
<hsantos(_at_)santronics(_dot_)com>
Sent: Saturday, 21 February, 2009 10:20:39 AM (GMT+1200) Auto-Detected
Subject: Re: [ietf-dkim] NO DKIM "POLICY"
On Feb 20, 2009, at 1:58 PM, Franck Martin wrote:
but it can come from @example.com signed by @test.com
This could be described a third-party signature, where test.com should not be
considered authoritative for example.com, just as ads.example.com should not
be. While test.com may allow acceptance of example.com's email, its signature
should not directly assure recipients that use of the example.com domain is not
being spoofed. Socially engineered attacks can easily acquire a signature from
an otherwise reputable domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html