On Oct 13, 2008, at 12:58 PM, Murray S. Kucherawy wrote:
Dave CROCKER wrote:
This begs the question: why bother to do the first validation; why
not simply wait and let whoever would have validated the first
instead validate the first?
If the only authentication method being applied at a site is DKIM or
other things that don't care about the path, that works. But that's
a big "if", and moreover means all consumers of authentication
results data must now learn all local path-agnostic methods being
used to evaluate messages.
The desire here is to secure arbitrary authentication results data
between the border MTA and the consuming MUA. DKIM is one way that
could be achieved, meaning the consumers need to learn one and only
one message authentication scheme in order to validate that one
piece of protected internal data.
Agreed. However, when a domain attempts to assert control over the
From header field using DKIM and ADSP, they must "pretend" to
authenticate an email-address within the From header field. ADSP,
using a false premise of email-address authentication, has impaired
DKIM's on-behalf-of field which is essential for evaluating intra-
domain abuse. If the source of a message is not abusive, there should
be no reason to filter based upon content classifications. In the
case of ADSP, there no basis upon which classifications can be
trusted. The one exception would be for a perfect signing domain,
otherwise these efforts represent an exercise in futility.
-Doug