[ietf-dkim] Not exactly not a threat analysis
moore at cs.utk.edu
Tue Aug 23 11:54:32 PDT 2005
>>I think that authors that want to protect their reputations can
>>their messages to have DKIM authorship signatures, and also advertise (say via
>>DNS) that their messages will have such signatures. Whether this is done via
>>an MUA, or via a special submission server, or whatever, is up to the author.
> You can only do this in the MUA because only the MUA can tell the
> difference between a new message and a re-submission. However DKIM is
> designed to be deployed in an MTA in the usual case.
I don't think DKIM should preclude MUA signing of authored content.
> However the submission server cannot trivially include the list of
> recipients in the message signature and remain compatible with BCC (which
> is one of our requirements).
Sure it can. Any recipient in the envelope but not in the message
header gets a separate signature. Easiest thing to do is to sign
outgoing traffic rather than incoming traffic. The big issue here is
with mailing lists that send messages to large numbers of recipients
that don't appear in the message header. In this case you might want
the signature to say "this is going to list X" rather than "this is
going to recipients, a, b, c, d, ... "
More information about the ietf-dkim