On 10/13/2010 12:47 PM, Jeff Macdonald wrote: >> Then you send me a piece of signed mail, I change everything except the >> Message-ID and Date, and send it to someone else. And the verifier will >> green-light it, meaning you've taken responsibility for it. Are you OK with >> that? >> >> My way of thinking about this is that verification of a message is >> equivalent to collecting all the pieces (header, body, signature) and coming >> to you and saying "Do you take responsibility for this?" If I get your >> public key from DNS and everything lines up, you're implicitly saying "yes". >> >> Now, if I remove the whole body and most of the header from what I'm >> presenting to you for that question, you're now possibly saying "yes" to >> content you didn't create. Are you OK with that? > > The only thing I'm willing to say "yes" to is that I created that > identifier and nothing more. > > Enhancements to my rant would be to include the To: header as well. > > The point is DKIM provides a verifiable identifier. If there is > anything in the spec that leads one to believe it provides more than > that, it needs to be fixed. > > But like I said, I was ranting.
Jeff, an identifier that's not bound to something is useless. It's like "Mike" just bouncing around the aether. Until it binds to something, it's not providing anything useful and certainly not something you'd want to alter the message disposition. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
