On 10/16/2010 2:39 AM, Mark Delany wrote: > My problem is that if some valuable domain like paypal sends me a > bunch of bits that I or my MUA or my MTA ties to paypal.com then the > end goal of DKIM is, IMO, that those bunch of bits I "see" are the > ones that paypal sent. No more, no less. > > To murder another idiom: "What you see is what they sent" is I believe > the ultimate goal of DKIM. Or, "what you complain about is what they > sent". Whatever.
My point is that DKIM is used within an environment that has a wide range of attacks, such as including social. While it's of course fair to say that DKIM "protects" the bits it covers, there are two lines of potential misunderstanding. The first is, of course, the bits not covered. The second is that DKIM provides certain kinds of protection, for the bits it protects, and not others. So when we say that DKIM protects some bits, we need to be clear what it is /not/ doing for those bits and what, associated /other/ bits are still subject to attack. My own observation is that nearly all discussions about DKIM do not reflect care -- and often don't reflect understanding -- about these constraints. This leads to overly ambitious expectations for what DKIM can do. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
