> > I concur with Tony's model that a signature only means "I will accept > > the blame for this message". > > I don't think that flies, or at least, I think that makes DKIM of fairly > marginal value. A message itself is rarely blameworthy; what matters is > the context.
Right. The context is who signed it. Other than you, I see no interest at all in Lumos-style schemes to express complex semantics of signatures. > So if DKIM is going to be at all useful, it has to distinguish between > an author signing the content and a (re)sender signing "yes, I (re)sent > the message to this set of recipients". You keep saying this, but it doesn't follow from your other arguments, and it's just plain not true. A signature that lets me tie a message to a domain is plenty useful with no other semantics attached. > > I'm planning to look up the signing domain in whatever passes for a > > reputation system, and if it says good, I'll accept it, if it says > > bad, I'll reject it, and if it says nothing, I'll send the message > > through the filtering gauntlet I use now. > And what problem does this solve? Why does the fact that mail has > passed through your MTA confer some sort of legitimacy on it, no matter > what the content or the context? Because domains are run by people, some of whom do a much better job of managing their mail than others. To pick a concrete example, if mail is signed by aol.com, I'll accept it because AOL does a really good job of keeping their mail stream under control. But if it's signed by hotmail.com or msn.com, I'll aim it into the spam filter with all the knobs turned up to maximum because they're infested with 419ers, all using valid addresses hosted by Hotmail. R's, John _______________________________________________ ietf-dkim mailing list http://dkim.org
