[Asrg] where the message originated
Alessandro Vesely
vesely at tana.it
Mon Jan 12 08:30:52 PST 2009
Steve Atkins wrote:
> On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:
>
>> Hm.. I'm not much into DKIM. It technically allows to sign false
>> identities, but doesn't (or shouldn't) it semantically imply that the
>> signers must have some (possibly small but still positive) degree of
>> trust that what they sign is correct?
>
> No. The signature only means that the message you received was the one
> signed by the signing identity.
Thanks for the clarification.
> Any mail system that only allows mail to be sent one at a time, and
> requires that the mail be hand-typed (rather than stored in a signature
> or pasted in) and which charges for the service via a credit card is
> going to be a negligible source of abusive email.
>
> KioskCo is definitely going to want to sign the outbound mail with their
> identity, as that identity is unlikely to get a bad reputation and will
> likely get a good reputation over time.
Wouldn't then make more sense to just sign, say, the date and the
message-ID?
Besides malicious abuses, typos are also a possible source of
confusion for end users. Considering that perhaps one day it will be
possible to read the correct email address from the payment card, if I
were KioskCo, I would avoid to sign From headers I don't trust, unless
specifically required by DKIM or related BCPs.
[N.B. "KioskCo" in this thread is understood as an example name, not
related to possibly existing companies bearing the same name.]
More information about the Asrg
mailing list