[ietf-dkim] Final update to 4871bis for working group review
bmcdowell at paypal-inc.com
Fri Jul 8 05:05:49 PDT 2011
> -----Original Message-----
> From: John Levine [mailto:johnl at iecc.com]
> Sent: Thursday, July 07, 2011 6:22 PM
> >Will your "assume one more From than listed in h=" lead to failed
> >verifications on messages that actually follow the advice in the RFC to
> >list duplicate headers in their h= values?
> The RFC also says you shouldn't sign messages that aren't RFC 2822. So pick
> your poison.
> I have to say it's a little surreal to have these arguments about what changes
John, this particular part of the discussion is not about changing the RFC or DKIM implementations, only changing deployment configuration practices.
> to make to avoid the horrors of a duplicate From: attack that is and likely will
> always be entirely hypothetical,
Doug, has Trend Micro actually demonstrated this attack (and the recommended counter measures) on the wire? If not, I suggest you do so.
More information about the ietf-dkim