[ietf-dkim] Re: New Issue: signed vs. unsigned header fields
as input to SSP
mike at mtcc.com
Wed Jan 23 17:00:47 PST 2008
Arvel Hathcock wrote:
>>> This is an interesting, even novel approach. I'm still trying to
>>> evaluate it. One question I have is how it would interact with what
>>> headers are covered by the author signature. In particular, does the
>>> Sender: field in this case have to be covered by the signature?
>> Good point. I'd like if we could keep that as a tracked issue, just
>> so's we remember to think about it.
> One question I have is this: do we need the added algorithmic
> complexity of this Sender: match check? If it can't solve all cases in
> which multiple addresses in From: exist then maybe it's not worth the
> extra effort to spec out and code for? In other words, since
> implementations can't get away from a "check all From domains"
> sub-routine anyway then adding extra code for a Sender: match along with
> a check to make sure Sender was covered by the signature just seems like
> extra work for the implementor?
> Something to think about anyway.
Yeah, that's what I'm worried about too. Especially in light of
implementations that don't obey this From: Sender: correlation
which may well be a common misimplementation.
More information about the ietf-dkim