In article <01RS5CFAY5S0005PTU@xxxxxxxxxxxxxxxxx> you write: >More specifically, we developed DKIM/DMARC as an anti-phishing measure for >commerical email. It was never intedned to be used for personal email, but >Yahoo deployed it in the personal email space and others have followed suit on >a massive scale. As a result a significant and growing percentage of email is >now signed, to the point where privacy experts are calling for DKIM key release >after rotation to at least partially mitigate the damage we have done. Urrgh. We correctly expected DKIM to be used for all sorts of mail, but without expecting the DKIM domain to match the From (other than the experimental and unused ADSP extension.) DMARC made "aligned" signatures treated specially, but the signatures didn't change. What we didn't anticipate is that large mail systems would never rotate their keys and use the same DKIM signing key for many years, so you can easily check old messages with old signatures. I suppose it is kind of a surprise that people use them for non-repudiation, but since the signatures aren't technically very different from S/MIME or PGP signatures, it shouldn't be that surprising. R's, John
