[ietf-dkim] suspicious and SUSPICIOUS
Michael Thomas
mike at mtcc.com
Mon Oct 1 08:37:45 PDT 2007
Charles Lindsey wrote:
> Now the ultimate recipients see A's signature (no longer good), plus
> A's policy. So the message is on the face of it "suspicious". So what
> is the recipient supposed to do? He is a member of the list, and is
> happy to trust the list maintainer, and can check the 2nd signature.
> But he is still receiving conflicting advice.
This is something that I also took away from the draft. "strict" +
broken/missing
signature is much more suspicious than "all" + broken/missing signature. My
suggestion would be to tie the "suspicion" to the expectation: eg
suspicious/strict
and suspicious/all.
>
> The only real solution to this problem is for B to add an
> Authentication-Results header (see the Mail-Vet-Discuss mailing list),
> and to incluide that header in is own signature. Maybe that is veering
> off topic for this list, but at least there should be a pointer to
> that sort of possibility.
>
This doesn't work in the abstract because Auth-res isn't necessarily
trustable across
domains, and in fact I often don't trust who produced it even if it
could be authenticated.
Mike
More information about the ietf-dkim
mailing list