On August 15, 2005 at 12:53, Michael Thomas wrote: > I think we'd do better to just not conflate both of these > things. There are signers that are willing to assert > "this passed through me, for whatever that's worth", and > "this passed through me, and I have a relationship with > one or more of the outside addresses visible". The first > is, essentially, a signed received header. The second > provides the originating domain a way to provide some amount > of comfort to the receiver that it's that domain sending > the mail rather than some random forger. They solve two > different problems, IMO, and a domain may well be willing > to provide the first, but not the second.
But DKIM does not really allow the first, in the general. In the first case, the signer is attempting to verifying routing information, but all DKIM signatures are bound to "originator address". Therefore, if the SSP disallows third-party signing, then a domain cannot just sign any message, unless it is the originating domain. Not all mail delivery is point-to-point. Multiple signatures are punted on in the DKIM draft, so that further limits things. If DKIM supported richer binding semantics that went beyond the "originator address", then something like the first case is doable. Of course, richer binding semantics does add complexity. --ewh _______________________________________________ ietf-dkim mailing list <http://dkim.org>
