> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of hector > Sent: Wednesday, October 14, 2009 7:20 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [ietf-dkim] brand protection, was Is anyone using ADSP? > > > A DKIM signature says nothing about "origination". A signature is > typically by > > an organization that handles the message, but it need not be the > originator or > > even a sender. An independent trust service, such as Goodmail, could > sign it, > > for example. > > > So are you saying that all receivers should whitelist goodmail.com > > dkim-signature: d=goodmail.com ....? > > regardless of what the Author Domain has declared for ADSP? > > Should we take for granted that the author domain has paid > GOODMAIL.COM to certified its mail? > > Conversely, what happens when mail from author domain does not arrive > with GOODMAIL.COM signatures? > > How does the receiver handle this?
You're trying very hard to infer something that was not stated or implied in either what Dave said above or in the specs themselves. In general, people are trying very hard to infer something from DKIM signatures and from ADSP that simply can't be safely inferred from the protocols as they have been defined so far. The simple answer to the question is: "We don't know yet." I'm sorry that this is the case, and I do understand that it's frustrating, but right now that's where we are. Some constructive work would be really helpful here rather than all this fist-pounding and finger-pointing that only serves to degrade things further. I for one would love to either write or see a draft that provides a third-party version of ADSP (FDSP, "F" for "forwarding"? LSP for "list signing practices"?) that considers the general list and forwarder cases, including discussion of possible attacks and why the proposal is resilient to them. TPA, for example, proposes an idea for authorizing third-party signatures where the third parties are known a priori, but thus doesn't cover mail through a list some user might want to use that signs/resigns. DSAP is something closer to useful in the general case but is in need of examples and something more than an outline in the area of security considerations, thus demonstrating its usefulness. I would happily implement either or both as experiments if there's even partial consensus that they are potentially workable solutions. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
