On 7/6/11 3:30 PM, John R. Levine wrote:
When DKIM signatures serve as a basis for acceptance, ...
Since they don't, can we skip the rest of the screed?
In other words, when DKIM signatures serve a basis for acceptance, this
would be an issue? The statement "they don't" contradicts preceding
work and:
Section 1.2. Signing Identity
,--
Verifiers can use the signing information to decide how they want to
process the message. The signing identity is included as part of the
signature header field.
'---
Section 6.3. Interpret Results/Apply Local Policy
,---
It is beyond the scope of this specification to describe what actions
an Identity Assessor can make, but mail carrying a validated SDID
presents an opportunity to an Identity Assessor that unauthenticated
email does not. Specifically, an authenticated email creates a
predictable identifier by which other decisions can reliably be
managed, such as trust and reputation. Conversely, unauthenticated
email lacks a reliable identifier that can be used to assign trust
and reputation. It is reasonable to treat unauthenticated email as
lacking any trust and having no positive reputation.
'---
Clearly, the signing identity's reputation is expected to play an
acceptance role, otherwise what is DKIM's purpose? When DKIM's results
may prove misleading, invite phishing attacks, or cause harm, this
should question the merits of the current specification.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html