Are you proposing a text change? Working Group Last Call closed some time ago.
On Thu, Sep 12, 2024 at 4:29 AM Douglas Foster < [email protected]> wrote: > A DKIM signature acts like a notary public, "This person, who is well > known to me, can be reliably associated with this document." > How does this apply to very large operators like Gmail? Are you not asserting that they need to establish "well known to me" somehow across millions of users? What do you expect that would look like? > Signing works for DMARC only when the DKIM signer has actually validated > the entity before adding the signature. > I would argue that the value of a DKIM signature increases when receivers have confidence that what they sign is desirable (or rather, not undesirable). This is "reputation". Therefore, when a signature is applied by an outbound gateway server, > everything depends on whether the gateway was able to authenticate the > message being signed. I know of no discussion about how a gateway > authenticates its clients and how an evaluator knows that the signature was > applied to an authenticated message. > I would argue that this is out of scope for DMARC. It's enough to observe that a DKIM signature is not an attestation of the value of the message, only a statement that the signing domain handled the message (directly or by proxy). This is discussed in Security Considerations of the DKIM standard. More generally, a message should only be considered DMARC-validated if it > can be validated at every organization change. There are many obstacles to > making that determination. ARC is clearly part of the solution. > If a message has a valid author signature but is not signed by any intermediary, what's missing from a usable DMARC evaluation? -MSK
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
