[ietf-dkim] DKIM does not claim content is correct
ops.lists at gmail.com
Wed Jan 28 06:25:27 PST 2009
On Wed, Jan 28, 2009 at 7:42 PM, Dave CROCKER <dhc at dcrocker.net> wrote:
> It provides data integrity, for the portions covered by the hash, and it
> authenticates the asserted "signing identity". It does *not* assert
> authorization of the From: field.
Unless the from field is signed .. and perhaps this is appropriate in
quite a few scenarios.
Even in cases where the from is not changeable by the end user (in a
webmail client, or corporate mail system) and is therefore yet another
header that is subject to signing? And does this go for other
alternatives such as Sender: where the envelope sender is inserted
where header from differs from envelope from?
> Given the community tendency to make assumptions about DKIM that aren't in
> the specification, this really is worth being extremely careful about.
That's one more reason for a use case document.
Suresh Ramasubramanian (ops.lists at gmail.com)
More information about the ietf-dkim