t.petch wrote:
It functions, but does not work, in that it tells me nothing about the true
origin of the communication.
Yes and No and that the main problem with DKIM, which I see is the
lack of 3rd party signal controls or put another way - anyone, middle
ware and especially list servers can blindly DKIM resign mail without
restrictions. That lack of control has cause originating authoring
domains, copyright holders of mail, all benefits of supporting DKIM.
The current approach is that original domains no longer have any
rights whatsoever to declare they are the only signers allowed to sign
mail and any deviation from that expectation should be indication of
protocol failure - "Reject it!"
Unfortunately, in order to allow a list server or any 3rd party
middleware to exist with DKIM (re)signing features, it needs to ignore
any original DKIM domain signing practice or expectations.
No domain that wishes exclusive signing operations should be sending
their signed mail to a public service forum. We know this, but we
don't have the controls to disallow faults or bad guys attempting to
create a facsimile of your domain signed mail in public areas or
directly to others.
Finally, as DKIM was revamped from secured Author-Domain signing
protocol to a "anyone can signed" 3rd party Trust vendor protocol, the
problem we face is we don't have consistency with 3rd party trust
tables. For DKIM to work, every validators needs a copy of the same
trust tables. DKIM is a protocol that requires Batteries in order to
work and everyone must use the same batteries.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf