[ietf-dkim] Final update to 4871bis for working group review

[Hector Santos]

Murray S. Kucherawy wrote:

> 8.15.  Attacks Involving Extra Header Fields
> 
>    ...
>
>    Many email components, including MTAs, MSAs, MUAs and filtering
>    modules, implement message format checks only loosely.  This is done
>    out of years of industry pressure to be liberal in what is accepted
>    into the mail stream for the sake of reducing support costs;
>    improperly formed messages are often silently fixed in transit,
>    delivered unrepaired, or displayed inappropriately (e.g., by showing
>    only one of multiple From: fields).

May only nit about this statement is that its more simple than being 
under pressure, liberal or to reduce cost - in the anals of electronic 
mail, across all networks, only ONE FROM is expected.  Therefore, I 
have my doubts any mail software was ever designed to hold a "list" or 
a collection of more than one From: header simply because it wasn't 
never expected - by design.

Now, whether software check for message validity, why they did so and 
how wide spread this checking is done, probably has to do more about 
how robust the software is to watch for illegal RFC 822/2822/5322 
messages.

The irony here is that the original issue posting was due to software 
that allowed illegal submission of a DKIM signed message but when it 
wasn't signed, the software kicked out the illegal messages.

So its more about how the current edge software deal with it.  Its how 
they integrate it with DKIM and they need to dot all the eyes, cross 
all the t's in their integration.  If they have software control of 
their DKIM stuff,  its probably a good idea to make their the Verifier 
and Signer has a One From DKIM Rule concept as cited in my previous 
post and the specs should make that very clear.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com