Scott Kitterman wrote: > On Thursday 27 July 2006 14:00, [EMAIL PROTECTED] wrote: > >> My requirements >> >> I sign all >> I sign nothing >> I sign only 3rd party >> I sign all and 3rd party >> I sign some mail >> >> >> My Policy/Practice >> >> I sign all - every piece of mail purported to be from me must be signed >> >> > Must be signed by you are must be signed by anybody. If the latter, it's > trivially spoofable unless you have a list of others that are authorized to > sign. > Sure; third-party signatures will have a bigger dependence on reputation/accreditation/whitelists/etc. than originator signatures.
Using cisco.com as an example, how would we create a list of others that are authorized to sign? We have people using mailing lists, "mail this article to a friend", and similar services all over the place. There's no way that we could catalog a complete list. However, we might want to white list a bunch of likely-reliable signing domains (e.g., ietf.org, mipassoc.org and maybe nytimes.com) and treat these messages with less scrutiny. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
