Doug, If the hash validates to the signing domain and first sender, why is it nescessary that the two domains be the same? thanks, Bill
-----Original Message----- From: [EMAIL PROTECTED] on behalf of Douglas Otis Sent: Thu 11/17/2005 6:43 PM To: Stephen Farrell Cc: IETF-DKIM Subject: Re: [ietf-dkim] SSP security relies upon the visual domain appearance On Nov 17, 2005, at 2:27 PM, Stephen Farrell wrote: > Doug - quick and simple question: does all of this depend > on there being >1 From address? First-party policy mandates (the only mode restricting use and somewhat protecting reputation) requires the _first_ email-address correspond to the signing-domain. This single address may not identify the author to the recipient, such as with a list-server. A list-server may also be dealing with many different policies, where exploding the message will likely include multiple From addresses as a general precaution to ensure delivery. The problem related to a correlation of the signing-domain with that of the email-address represents a general loss of freedom, even when there is only one From address used. The sender's ability to use a preferred or recognized email-address has been lost without adding an additional From. There are schemes in place to accrue reputation at the email-address providing authorization, as a by-product of prior mechanisms. Reputation accrual at the email-address unfairly shifts accountability onto the email-address domain owner obligating use of a first-party mandate, especially where a list of authorized signers is used. I doubt there is any reasonable method to publish out-of- band authorizations without incurring such a side-effect. This would be due to inherited legacy and a prevailing mindset that authorization is authentication. -Doug PS. The SSP designation for this mode would be !. _______________________________________________ ietf-dkim mailing list http://dkim.org _______________________________________________ ietf-dkim mailing list http://dkim.org
