On 10/20/10 8:10 AM, Ian Eiloart wrote:
--On 19 October 2010 11:35:53 -0400 "John R. Levine"
<johnl(_at_)iecc(_dot_)com>
wrote:
True, but there already are UI designs that indicate when a From
header is DKIM verified.
So you're saying that all a spammer has to do is to put on a
throwaway domain's signature, and the MUA will highlight at least
parts of the message with green goodness? Surely our understanding
of domain reputation is better than that.
I believe that's the basis of this whole discussion, isn't it. The
point is that the MUA tells you whether the header was signed, and
leaves you to apply the domain or address reputation. I think that's
a step forward. At least, it is when I know the purported author.
And, surely I'm better at assigning reputation to -say- my brother
than any automated system is.
DKIM does not authenticate the From header field, however it provides
authenticated DKIM domains that are, at a minimum, bound with the From
header field.
When the DKIM domain is "Big-Bank.com", and you or your system trusts
this domain, there should also be less concern related to whether a From
header field containing "accounts(_at_)big-bank(_dot_)com" offers deceptive
information.
But, hey, I'm on your side here. I think we should put a warning in
the RFC so that vendors are informed that they need to be sure
they're highlighting the correct header.
Why? There would not be a problem when DKIM verification results return
PERMFAIL when there is any doubt which From header field might be
selected when more than one exists.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html