Fwd: Re: [ietf-dkim] Base issue: multiple linked signatures

[Charles Lindsey]

On Tue, 02 Jan 2007 18:11:06 -0000, Douglas Otis <dotis at mail-abuse.org>
wrote:


> It may prove a mistake mandating the signing of the From header once  
> internationalization becomes common.  The From header mandate supports a  
> highly dubious anti-spoofing effort based upon visual recognition.  A  
> far more secure alternative applies annotations to digitally recognized  
> originators.  Such an annotation scheme does not require troublesome  
> From header stipulations and is not susceptible to various visual  
> exploits, such as the use of look-alikes or cousin domains.

I agree. An unsigned From is a cause for suspicion, but there may
sometimes be valid resons, which the verifier should be allowed to
consider. For example, in EAI the From may get downgraded during transit.
It is not yet clear what would be the best way to get around that problem,
but unnecessarily restrictive "MUST"s are not going to help. "SHOULD"
would have been quite strong enough - no interoperability problem srises.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5