On Jun 27, 2006, at 8:48 PM, Keith Moore wrote:
I also believe that creating an authentication system that favors
large domains over small ones, and inflexible signing policy over
flexible signing policy, is bad for society. The trick is getting
a balance between these. Some of my concerns about DKIM are in
this area, but not all of them.
That is a complaint also heard from members of the APWG wanting this
technology applied more easily by smaller entities. Expectations of
implicit validation of email-addresses as currently defined in the
base draft is problematic in this regard. Making email-address
validation explicit by being included within the 'i=' parameter could
help remedy a loss of versatility for smaller domains. DKIM could
then allow third-party signing domains that makes no assertions about
the "valid" use of an email-address. The expectation of acceptance
policies dealing with spoofing based upon policy applied to the email-
address offers poor protections that overlook common use of display
names and greater use of international localpart and domains names.
Acceptance polices are not enough and require adjunct message
annotation conveying not only signature verification status, but also
whether the signing domain is within the recipient's list of trusted
signing domains. DKIM must not depend upon email-address acceptance
polices alone, especially as exclusive reliance upon this approach
prevents greater utilization of this technology.
-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf