This whole thing may become a moot point with the new wording of the second paragraph of the introduction as suggested by Arvel. It says:
However, the legacy of the Internet is such that not all messages will be signed. Therefore, the absence of a signature is not an a priori indication of forgery. In fact, during early phases of DKIM deployment it must be expected that most messages will remain unsigned. Nevertheless, some domains may find it highly desirable to advertise that they sign all of their outgoing mail making the absence of a valid signature a potential indication of forgery. Without a mechanism to do so, the benefits of DKIM are limited to cases in which a valid signature exists and cannot be extended to cases in which signatures are missing or are invalid. Defining such a mechanism is the purpose of Sender Signing Practices. With the above wording, I don't think we need to put too sharp a point on the definition of "forgery". -Jim Charles Lindsey wrote: > On Wed, 14 Nov 2007 23:50:17 -0000, Jim Fenton <[EMAIL PROTECTED]> wrote: > >> Douglas Otis wrote: >>> Introduction: >>> >>> ,-- >>> | ... However, some domains may choose to sign all of their >>> | outgoing mail, for example, to protect their brand name. It is >>> | highly desirable for such domains to be able to advertise that fact >>> | to verifiers, and that messages claiming to be from them that do not >>> | have a valid signature are likely to be forgeries. This is the topic >>> | for sender signing practices. >>> '-- >>> >>> This statement overlooks messages forwarded by mailing-lists and the >>> like where a signature might become invalid. >>> >>> Perhaps change "claiming to be from them" to "claiming to be directly >>> from them". >> >> DKIM tries to be as path-agnostic as possible, so the word "directly" is >> problematic. If it goes through a transparent (non-modifying) >> forwarder, is it "directly from them"? Probably not, so this wording >> understates DKIM's value. > > My interpretation of "directly" in the above text is that it implies > > "if this message arrives without evidence of intermediate > forwarding/mail-list-expansion/whatever, and its signature is > bad/absent, then that is a cause for immediate and grave suspicion. > But if there is evidence of such forwarding, then further > investigation of whether such forwarding might removed/broken our > original signature could be taken into account". > > So if the forwarder has resigned (or even better certified that the > original sugnature was good when seen by him) then a site that is > prepared to trust the forwarder might choose to be less suspicious. > > If that is the intention of "directly", then it is probably fine to > include it (or mayube something more explicit, since "directly" seems > toi have been misunderstood. > > OTOH, my interpretation of "strict" means "please be suspicious if the > signature is absent/bad even if there is plausible evidence of > mangling by a forwarder". > _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
