Eric Allman wrote: > I've heard some discussion the last couple of days that we should drop > the MUST for signing originator headers and Resent-* blocks, since > this isn't an interoperability issue (but is perhaps a usefulness > issue). This is, in some sense, dictating policy instead of being > confined to mechanism, which we've been assiduously avoiding. Viewed > that way, it seems inappropriate to have this requirement. > > Of course, a verifier would be completely within reason to ignore > signatures that didn't sign the From header, but that's up to them. > > If we can get a very quick consensus I can get this into base-04 > (which is going to be submitted today come hell or high water --- oh > wait, that was Dallas). It seems consistent with the other changes > we've been making, which is why I have some small hope we can get this > through in just a couple of hours. > > Thoughts?
If we do this, there needs to be some strongly-worded but non-normative guidance that reminds people that if they want their signature to be useful, there are some header fields they really ought to sign, including From, Subject, Date, and probably Sender (the latter on account of Outlook clients). Otherwise, the signature really doesn't mean much, and if the verifier does something like remove unsigned header fields, the recipient is going to see a lot of blanks. In other words, it doesn't need to be a normative MUST because not signing From doesn't break the protocol. Whether it's a normative SHOULD, a should (note lower case) or a non-normative note I'm not sure. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
