[ietf-dkim] list vs contributor signatures, was Wrong Discussion
chl at clerew.man.ac.uk
Mon May 3 03:02:18 PDT 2010
On Fri, 30 Apr 2010 08:25:31 +0100, Douglas Otis <dotis at mail-abuse.org>
> On 4/29/10 6:06 PM, John Levine wrote:
>> I just don't see how you can simultaneously say "throw away unsigned
>> mail" and "don't throw away unsigned mail if a list says it used to
>> be signed" unless you have some way to identify trustworthy lists.
> Agreed. People might trust authentications of a From domain based upon
> valid Author Signatures, but they should not trust From domains based
> upon A-R header indications of previous Author Signatures without
> knowing how the A-R headers were processed. Any assumption of proper
> processing would permit simple exploits and invite abuse. Those most
> interested in determining proper A-R header processing by third-parties
> would be those with an interest in protecting their recipients, such as
> financial institutions.
Which is why A-R headers need to be signed by whoever created them Then at
least you know where they came from and can adjust you policies
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim