On 7/6/11 3:30 PM, John R. Levine wrote: >> When DKIM signatures serve as a basis for acceptance, ... > Since they don't, can we skip the rest of the screed? In other words, when DKIM signatures serve a basis for acceptance, this would be an issue? The statement "they don't" contradicts preceding work and:
Section 1.2. Signing Identity ,-- Verifiers can use the signing information to decide how they want to process the message. The signing identity is included as part of the signature header field. '--- Section 6.3. Interpret Results/Apply Local Policy ,--- It is beyond the scope of this specification to describe what actions an Identity Assessor can make, but mail carrying a validated SDID presents an opportunity to an Identity Assessor that unauthenticated email does not. Specifically, an authenticated email creates a predictable identifier by which other decisions can reliably be managed, such as trust and reputation. Conversely, unauthenticated email lacks a reliable identifier that can be used to assign trust and reputation. It is reasonable to treat unauthenticated email as lacking any trust and having no positive reputation. '--- Clearly, the signing identity's reputation is expected to play an acceptance role, otherwise what is DKIM's purpose? When DKIM's results may prove misleading, invite phishing attacks, or cause harm, this should question the merits of the current specification. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
