[ietf-dkim] Doublefrom language should be in ADSP, not core
Hector Santos
hsantos at isdg.net
Sun Jul 10 00:22:01 PDT 2011
Michael Deutschmann wrote:
> One additional thought on the whole double-From: argument -- if RFC
> language on the issue is justified at all, it really belongs in the
> ADSP RFC, not a core DKIM one.
>
> A double-From: doesn't even rise to the level of theoretical threat
> except when dealing with ADSP (or a successor).
-1, we didn't need ADSP to show it was a empirical problem here.
Remember the President Obama message?
Now of course, if ADSP was a standard and whitehouse.com had an
exclusive signing policy, receivers would of rejected the junk
distributed by Dave's list server as an ADSP violation. But ADSP is a
pipe dream.
> To the core DKIM spec, "From:" isn't magic at all. Rather than
> enumerate every header that might be sensitive, we should put in a
> non-normative note that layered protocols should consider the issue:
Not sure what that means - the 5322.From is the single most
fundamental header in the email system. DKIM could not change that
and its why its a thorn on the side that its the one and only single
requirement for binding. At a minimum, a signature much has h=from.
This WG group has long suffered on the idea that From was a required
bind and the 3rd party trust advocates have tried to minimize that and
simple couldn't without proper logic.
The From signing requirement was based on the original framework when
POLICY was a natural part of the algorithm - the security aspects of
the protocol BROKE down when it was separated and we never got over it.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
More information about the ietf-dkim
mailing list