On Sep 8, 2006, at 12:28 PM, John L wrote:
The owner of the domain does get to state that legitimate messages
are signed and to insist that it is extreemly likely that messages
without authentication headers are forgeries intended to defraud
the recipient.
Right.
And recipients should pay attention to that statement because ... ?
Some people who claim they are heavily phished will be right.
Others will not be, and there is no way to tell from the SSP who is
ebay and who is some dimwit who doesn't understand that you
shouldn't say I sign everything if you use Yahoogroups.
A statement "All messages containing this email-address domain are
initially signed" would be correct for the dimwit that uses
Yahoogroups, provided there is also an assertion "Only compliant
services are used that retain initial signatures" can be added to
this assertion. The need to clarify this statement is to better
ensure transactional messages prone to being spoofed are treated
differently than messages used with common services. This
distinction can also apply to specific email-addresses, when
considering how annotations offer anti-spoofing protections.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
