[ietf-dkim] draft-ietf-dkim-rfc4871bis-07 // Attacks Involving Additional Header Fields
Charles Lindsey
chl at clerew.man.ac.uk
Wed Apr 27 11:23:31 PDT 2011
On Tue, 26 Apr 2011 05:29:35 +0100, Dave CROCKER <dhc at dcrocker.net> wrote:
>> DKIM doesn't create any binding between the RFC5322.From domain and the
>> "d="
>> value as you're doing. What you're talking about here falls into the
>> realm
>> of ADSP or other policy-like assertions, not DKIM itself which is the
>> topic
>> of this draft.
>
>
> Perhaps I am wrong, but I believe that this point has been made and
> re-made
> enough times to warrant not making it again.
Not so. DKIM specifically requires that the From header be included in the
signature. Hence end users (and that included verifiers) are entitled to
assume that if there is a valid signature, then "the" From header that
they see before them was signed. So there does already exist a binding
quite independently of ADSP or reputation suystems, or any other "addons".
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim
mailing list