[ietf-dkim] Capturing DKIM relationships to thwart look-alikes

[Douglas Otis]

On Sep 12, 2006, at 10:30 AM, Wietse Venema wrote:

> I get mail that pretends to be from my bank. The SSP says the mail  
> is 100% pure non-forged. However, the DKIM-BASE signing domain is  
> not in my list of trusted signing domains. I get a warning that  
> this mail could be sent by a party that I have no relationip with.
>
> This may be a revolutionary concept to some, but a widely used  
> application called ssh has been using such tricks for 10 years. Its  
> approach to opportunistic authentication is not perfect for  
> purists, but it works for real people.
>
> Having gone in circles twice, I think this is a good time to step  
> out of this thread.

I am in complete agreement with your statement.  Rather that offering  
a warning, not offering a positive annotation akin to the browser  
lock-icon should also work.

While the capturing of the DKIM signing-domain with that of the email- 
address would work, this could be made more reliable by adopting  
conventions for conveying when the signing domain has assured the  
email-address in some fashion.  In addition,  policy could also help  
reduce risks associated with the capturing efforts by confirming  
email-address/signing-domain associations.  With policy, it might  
also be possible to only capture the email-address itself, where  
policy makes the signing-domain association.

-Doug