[ietf-dkim] DKIM does not claim content is correct

[Suresh Ramasubramanian]

On Wed, Jan 28, 2009 at 7:42 PM, Dave CROCKER <dhc at dcrocker.net> wrote:
> It provides data integrity, for the portions covered by the hash, and it
> authenticates the asserted "signing identity".  It does *not* assert
> authorization of the From: field.

Unless the from field is signed .. and perhaps this is appropriate in
quite a few scenarios.

Even in cases where the from is not changeable by the end user (in a
webmail client, or corporate mail system) and is therefore yet another
header that is subject to signing?  And does this go for other
alternatives such as Sender: where the envelope sender is inserted
where header from differs from envelope from?

> Given the community tendency to make assumptions about DKIM that aren't in
> the specification, this really is worth being extremely careful about.

That's one more reason for a use case document.

thanks
suresh

-- 
Suresh Ramasubramanian (ops.lists at gmail.com)