>Even just trusting GMail would make over 40% of our users happy,
>especially now FireGPG has dropped GMail support. I think it is fair to
>say that if we receive an email with a valid DKIM signature from
><email address hidden> then we can reasonably trust that it came from
><email address hidden>.
What's the basis for this claim?
>We are already trusting email providers due to the mechanics of password
>recovery. This may no longer be true when we become a proper OpenID
>relying party (at which point we start trusting the OpenID providers),
>but it is true now.
Not for actions that require authentication. For those you are trusting a gpg signature.
>We probably want a whitelist of domains to trust, or a tick box the user
>can select against their email address to toggle DKIM trust. Whitelist
>would be the best start I think.
Users are absolutely unqualified to make this decision.
>Even just trusting GMail would make over 40% of our users happy,
>especially now FireGPG has dropped GMail support. I think it is fair to
>say that if we receive an email with a valid DKIM signature from
><email address hidden> then we can reasonably trust that it came from
><email address hidden>.
What's the basis for this claim?
>We are already trusting email providers due to the mechanics of password
>recovery. This may no longer be true when we become a proper OpenID
>relying party (at which point we start trusting the OpenID providers),
>but it is true now.
Not for actions that require authentication. For those you are trusting a gpg signature.
>We probably want a whitelist of domains to trust, or a tick box the user
>can select against their email address to toggle DKIM trust. Whitelist
>would be the best start I think.
Users are absolutely unqualified to make this decision.