On Fri, 30 Apr 2010 08:25:31 +0100, Douglas Otis <[email protected]> wrote:
> On 4/29/10 6:06 PM, John Levine wrote: > >> I just don't see how you can simultaneously say "throw away unsigned >> mail" and "don't throw away unsigned mail if a list says it used to >> be signed" unless you have some way to identify trustworthy lists. > > Agreed. People might trust authentications of a From domain based upon > valid Author Signatures, but they should not trust From domains based > upon A-R header indications of previous Author Signatures without > knowing how the A-R headers were processed. Any assumption of proper > processing would permit simple exploits and invite abuse. Those most > interested in determining proper A-R header processing by third-parties > would be those with an interest in protecting their recipients, such as > financial institutions. Which is why A-R headers need to be signed by whoever created them Then at least you know where they came from and can adjust you policies accordingly. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: [email protected] snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
