[ietf-dkim] The URL to my paper describing the DKIM policy options
Jim Fenton
fenton at cisco.com
Thu Jul 27 16:33:42 PDT 2006
Scott Kitterman wrote:
> On Thursday 27 July 2006 14:00, Bill.Oxley at cox.com wrote:
>
>> My requirements
>>
>> I sign all
>> I sign nothing
>> I sign only 3rd party
>> I sign all and 3rd party
>> I sign some mail
>>
>>
>> My Policy/Practice
>>
>> I sign all - every piece of mail purported to be from me must be signed
>>
>>
> Must be signed by you are must be signed by anybody. If the latter, it's
> trivially spoofable unless you have a list of others that are authorized to
> sign.
>
Sure; third-party signatures will have a bigger dependence on
reputation/accreditation/whitelists/etc. than originator signatures.
Using cisco.com as an example, how would we create a list of others that
are authorized to sign? We have people using mailing lists, "mail this
article to a friend", and similar services all over the place. There's
no way that we could catalog a complete list. However, we might want to
white list a bunch of likely-reliable signing domains (e.g., ietf.org,
mipassoc.org and maybe nytimes.com) and treat these messages with less
scrutiny.
-Jim
More information about the ietf-dkim
mailing list