[Top] [All Lists]

Re: [ietf-dkim] Weird i= in client mail

2013-06-20 10:39:20
On 06/20/2013 03:05 AM, John R. Levine wrote:
Seems to me that works fine as is.  If a stock broker wants to set
up its mail system to put an i= into DKIM that reliably identifies
the person who sent the mail, they can do that.

But unless I have external knowledge that they do that, and trust
them to do it right, I can't depend on it,

Rolf E. Sonneveld:
Why do you raise this concern for "i=" and not for "d="? Simply
looking at "d=" we can't differentiate between a Good Guy and a
Bad Guy, until we have built some history/reputation for that
particular "d=" domain.  Why wouldn't the same logic hold for "i="?

Because d= specifies the name of the public key.

Rolf E. Sonneveld:
As there is only one private key associated with that public key,
we may safely assume that the owner of that private key takes
responsibility for any use of the "i=" within that "d=" domain.

Or any other bits in the message header or body, for that matter.
The point is that d= provides the authenticated channel between
signer and verifier, while all the other bits are just riding along
through that authenticated channel.

This thread is really about different degrees of trust: trust in
the authenticated channel, versus trust in the content that arrives
through that channel. I may be willing to believe that the channel
is authentic, while at the same time being sceptical about any
claims that are made by its payload.

NOTE WELL: This list operates according to