[ietf-dkim] SSP and mailing lists
dotis at mail-abuse.org
Mon Sep 11 22:26:29 PDT 2006
On Mon, 2006-09-11 at 21:14 -0700, Steve Atkins wrote:
> I don't expect MUAs to pop up warnings or anything similar when they
> seen unsigned mail. I wouldn't be surprised to see something akin
> to a web browser "locked padlock" or colored browser bar GUI element,
> but I think it would be a big mistake and a big disservice to users to
> do that.
> There are several reasons I think that it would be a mistake, but the
> dominating one is that a message being signed doesn't mean that
> it's trustworthy (of which the c1t1bank.com problem, and it's i18n
> parallels is just one example).
I agree with this point. However, when an email-address has been
retained in a third-party list of valid identities, or within a
recipient's address-book, messages _can_ receive safe annotations not
prone to these look-alike attacks. The annotations would be based upon
DKIM assured email-addresses compared against these retained
The use of an address-book may require conventions of using pass-phrases
in initial messages. This pass-phrase could be something the recipient
enters at a web site to ensure proper recognition when a related email
does arrive. Once entered into the address-book, their messages can
receive proper annotations.
This is safer and simpler to administer than deciding how to triage
messages with damaged signatures and wondering how much email disappears
into the DKIM cracks. Annotation should allow recipients to drill-down
on the related details much as with a browser annotations.
More information about the ietf-dkim