[ietf-dkim] mutant message validation,
was Base issue: multiplelinked signatures
Douglas Otis
dotis at mail-abuse.org
Wed Jan 10 18:54:20 PST 2007
On Jan 10, 2007, at 2:19 PM, Scott Kitterman wrote:
> On Wednesday 10 January 2007 17:01, Douglas Otis wrote:
>
>> The base draft requires the From header be signed. This header might
>> become modified for EAI compliance.
>
> We've been through this before. IIRC, we included 2822-From
> because it's a
> mandatory part of the message. If you don't sign it, you didn't
> sign the
> message. We don't sign every other line of the body either.
At that time, it was less clear the impact of that decision. What
value exists when the From header is not associated with the signing-
domain? This again mistakenly assumes recipients will verify the
originator based upon visual inspection. What happens when there are
EAI fix-ups on messages sent through a mailing list that signs their
messages? This requirement will cause these signatures to fail for
no valid reason.
-Doug
More information about the ietf-dkim
mailing list