[ietf-dkim] mutant message validation,
was Base issue: multiplelinked signatures
ietf-dkim at kitterman.com
Wed Jan 10 19:52:07 PST 2007
On Wednesday 10 January 2007 21:54, Douglas Otis wrote:
> On Jan 10, 2007, at 2:19 PM, Scott Kitterman wrote:
> > On Wednesday 10 January 2007 17:01, Douglas Otis wrote:
> >> The base draft requires the From header be signed. This header might
> >> become modified for EAI compliance.
> > We've been through this before. IIRC, we included 2822-From
> > because it's a
> > mandatory part of the message. If you don't sign it, you didn't
> > sign the
> > message. We don't sign every other line of the body either.
> At that time, it was less clear the impact of that decision. What
> value exists when the From header is not associated with the signing-
> domain? This again mistakenly assumes recipients will verify the
> originator based upon visual inspection. What happens when there are
> EAI fix-ups on messages sent through a mailing list that signs their
> messages? This requirement will cause these signatures to fail for
> no valid reason.
IIRC we discussed EAI at the time and it's not clear to me that anything's
changed. This has nothing to do with the originator address and everything
to do with signing the required elements of the message.
Taken to an extreme, there are reasons why any part of the message might get
changed and so we ought not sign anything.
More information about the ietf-dkim