John R. Levine wrote:
Flip that around: I want to give positive warm fuzzies to mail from the
users that are authenticated by bigisp.com and are on my positive list.
I believe that's what we call "human shields." Um, no. This whole model
of bigisp sending a mixture of legit and forged mail, and using i= to
assert nice things about the legit mail seems awfully strained. In my
experience, if I get a message with a credible signature, one of the
things that "credible" means is that the From: address is real enough to
use for message sorting.
An assertion from a large ISP-like domain with only the d= is essentially
useless. Ok, it came though bigisp.com, now what? Bigisp by definition is
going to have some bad actors, so without some other means of differentiation
the signature's domain only tells you that it's from somebody who's going to
have bad actors.
i= is one means for identifying sub-domain level granularity, but it could be
done other ways as well. You could sign an "X-Evil: yes" header as well. The
bigger problem with i= is that its semantics were underspecified because the
working group didn't want to go there. So unsurprisingly we're now in a position
where we have a large user base of signers who put something in i= and we're
not quite sure what they mean by it. Chickens: roost.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html