On Aug 3, 2006, at 8:50 AM, Mark Delany wrote:
On Thu, Aug 03, 2006 at 08:14:19AM -0700, Dave Crocker allegedly
wrote:
In other words, I think that fate-sharing is inherent here,
where two different
domain names can be identified.
Why would your ISP be identified and, even if it is, why would its
signature, as a third-party, be more relevant than your
signature, as
a first party?
Some will do their own signature "just to be safe". Certainly
their IP address
will be obtained as it is now.
Which I think is the point. Filters already thrive on diversity, so
it's not clear to me that we will be able to impose much uniformity on
that front.
The only mandate I think we could possibly make towards uniformity is
if we said that signers MUST remove all existing signatures. If
verification ever allow the presence of multiple signatures, then
pretty much all bets are off as to how deployments will add
signatures.
Having said that. In the dim distant past we did talk about origin
signatures and relay signatures (or some such, I forget the exact
nomenclature for the moment). So I suppose if we can clearly
distinguish origin signatures from relay signatures, that might be
useful.
This was reviewed in a draft:
http://www.sonic.net/~dougotis/id/draft-otis-dkim-options-00.html
The idea was to devise a scheme for retention of a minimal number of
DKIM signatures. The concern was related to DoS issues. It used
three roles, the MSA, Mediator, and MDA. Rather than removing the
signatures, it would overwrite the b= parameter. Today, over-writing
the first few characters of the bh= would be a better choice.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
