On Sep 6, 2006, at 4:24 PM, Thomas A. Fine wrote:
The alleged half-implemented DKIM within a domain makes no sense
whatsoever - why would a domain work really hard to maintain
thousands or millions of records, so that the spammers can continue
to forge spam from their domain with policy-assured freedom? They
won't.
What is being forged, the email-address?
The sensible solution is to dispense with all this user-signed
nonsense. It does no real good.
The mechanism being sought is to use policy as a means to
differentiate a message from other messages within a common signing
domain. The concern is not limited to just spammers. The recipient
can then recognize specific assurances via message annotations. This
mechanism is essential.
Domains should be free to set up as many keys as they want, and use
them however they want. If they want to set up a million keys, one
for each user, well, that's dumb in my opinion, but let them,
because it's not for me to dictate. At any rate, this will handle
any odd situations where users have a legitimate need to self-sign.
BUT: this should all be part of the standard mechanism for
distributing valid keys, and should not in any way be a special
case for user validation. It should simply be part of the selector
mechanism.
An arcane component of a DKIM signature (the selector) or a signing
subdomain (where assurances of the email-address being valid is lost)
does not offer viable differentiated protections. Keep in mind, the
entire domain is not equally trustworthy.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
