On October 13, 2005 at 16:24, Jim Fenton wrote: > >I've brought up the issue of signer roles, but it appears > >to have been rejected or gained no traction.
> An attacker can easily add headers to assert that they're a mailing list > (albeit one you haven't heard of), resender, etc. and sign them. I > don't think there is any way to prove what the signer role is. There is no way to prove that a signing domain, and what it signs, can be trusted (the reason trust systems must exist). So how is specifying the role any different from what else is signed? --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
