[ietf-dkim] SSP security relies upon the visual domain appearance
Hector Santos
hsantos at santronics.com
Thu Nov 17 23:11:17 PST 2005
----- Original Message -----
From: "SM" <sm at resistor.net>
To: "Stephen Farrell" <stephen.farrell at cs.tcd.ie>; "Jeff Macdonald"
> >And can't the threats document (& later, whatever relevant spec) not
> >just say "don't do that" and thus avoid the problem?
>
> The DKIM draft mentions:
>
> "Under no circumstances should an unsigned header field be displayed
> in any context that might be construed by the end user as having been
> signed."
>
> It could be extended further:
>
> The "From:" header should not be signed if it contains more than one
> sending address.
>
Excellent point!!!!
This is logic that software can use. It doesn't have to sign the From: under
special situations.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
More information about the ietf-dkim
mailing list