On Wednesday, October 13, 2010 03:59:27 pm Jeff Macdonald wrote:
On Wed, Oct 13, 2010 at 2:47 PM, Scott Kitterman
<ietf-dkim(_at_)kitterman(_dot_)com> wrote:
On Wednesday, October 13, 2010 02:27:29 pm Jeff Macdonald wrote:
And even if there was a DKIM signature, it is the BAD GUY'S signature,
which should cause it to go into the SPAM folder, with a large
phishing warning.
No. That misses the point entirely. The problem here is that one can
take a DKIM signed message that is signed by any entity and add
additional From/Subjects and the message may still appear to be the one
signed by the original entity even though it's been modified
post-signature.
Right. I had understood that and then forgot.
If DKIM is just viewed as providing an identifier and nothing more,
then this is a MUA problem.
If DKIM is viewed as providing more than an identifier, then this is a
DKIM problem.
The identifier only makes sense within a context. For DKIM that context is the
signed content. For the identifier to be meaningful, it has to be connected to
the actual content of the message, if not, the identifier could be arbitrarily
reused and would serve little purpose.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html