On August 18, 2005 at 09:33, SM wrote: > >because it makes things simpler for mailing lists (why check SSP at > >every step?) and because it puts the decision in the hands of the > >recipient's verifier because it's really the recipient we're serving. > > Whatever we put in the SSP, it comes down to the receiver's end > making the final decision. DKIM cannot stop people from "using our domain".
It is a problem if a receiving verifier does not play by the rules, but most systems have this problem. Receivers that rely on another party to validate the messages (e.g. their mailbox provider), have to have trust that the provider is doing things right. As for the receiver making the final decision, all receiver implementation should generate the same result on the same message (at the DKIM level). There should not be room for ambiguity and variability, this can lead to exploitation. Also, if the sender/signer can reliably perdict what a verifier will do (at the DKIM level), there is little use in signing messages. --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
