On Jun 27, 2006, at 8:48 PM, Keith Moore wrote:
I also believe that creating an authentication system that favors large domains over small ones, and inflexible signing policy over flexible signing policy, is bad for society. The trick is getting a balance between these. Some of my concerns about DKIM are in this area, but not all of them.
That is a complaint also heard from members of the APWG wanting this technology applied more easily by smaller entities. Expectations of implicit validation of email-addresses as currently defined in the base draft is problematic in this regard. Making email-address validation explicit by being included within the 'i=' parameter could help remedy a loss of versatility for smaller domains. DKIM could then allow third-party signing domains that makes no assertions about the "valid" use of an email-address. The expectation of acceptance policies dealing with spoofing based upon policy applied to the email- address offers poor protections that overlook common use of display names and greater use of international localpart and domains names. Acceptance polices are not enough and require adjunct message annotation conveying not only signature verification status, but also whether the signing domain is within the recipient's list of trusted signing domains. DKIM must not depend upon email-address acceptance polices alone, especially as exclusive reliance upon this approach prevents greater utilization of this technology.
-Doug _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf