On Fri, 30 Apr 2010 08:25:31 +0100, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
On 4/29/10 6:06 PM, John Levine wrote:
I just don't see how you can simultaneously say "throw away unsigned
mail" and "don't throw away unsigned mail if a list says it used to
be signed" unless you have some way to identify trustworthy lists.
Agreed. People might trust authentications of a From domain based upon
valid Author Signatures, but they should not trust From domains based
upon A-R header indications of previous Author Signatures without
knowing how the A-R headers were processed. Any assumption of proper
processing would permit simple exploits and invite abuse. Those most
interested in determining proper A-R header processing by third-parties
would be those with an interest in protecting their recipients, such as
financial institutions.
Which is why A-R headers need to be signed by whoever created them Then at
least you know where they came from and can adjust you policies
accordingly.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html