[ietf-dkim] Issue: which headers should we REQUIRE to be signed?
Scott Kitterman
ietf-dkim at kitterman.com
Thu Jul 13 15:00:58 PDT 2006
On Thursday 13 July 2006 17:17, Hector Santos wrote:
> ----- Original Message -----
> From: "Barry Leiba" <leiba at watson.ibm.com>
>
> > As chair, I see a growing consensus to do it that way. Let's try to
> > resolve this issue tout de suite, and move on. I'd like to hear from
> > people who think we should have some headers as "MUST sign". I'd like
> > to hear from those who agree with Mark and Mike, that we should not have
> > any with "MUST".
> >
> > What say you?
>
> See my last message to Eric:
>
> http://mipassoc.org/pipermail/ietf-dkim/2006q3/004249.html
>
> I vote for a minimum requirement and expectation that is part of the
> fundamental email infrastructure. In regards to DKIM, that should be the
> FROM: (If I had my choice, I would suggest the DATE: too just to be
> consistent with RFC 2822 minimum requirements).
>
> However, I say this from a Domain Signature Authorization point of view
> which as you know, I am a strong advocate of. It can be "adjustable" if
> the domain policy says its ok. But I believe this will complicate policy
> concepts so I vote for a minimum requirement.
>
I think that a requirement to sign RFC 2822 required identity header fields
(From and Sender if present) makes a lot of sense. I expect that if we don't
make this a requirement in Base, then in operations, receivers will pay
little attention to signatures that don't include them. So, if we fail to
include that requirement, I think we are doing people a dis-service.
I am (no surprise) against any requirement to sign resent-*. They aren't
identity fields in the same way that From and Sender are.
Scott K
More information about the ietf-dkim
mailing list