On Friday 14 July 2006 01:51, Mark Delany wrote: > > Eric Allman wrote: > > > Folks OK with that? > > -1 > > If a verifier has a verified email with a d= what is the fundamental > value-add on insisting that From: is a signed header? After all, a > minimalist verifier is going to query some database to ask the > question: Do I like d=? > > Will that query be influenced by a From: header? I'd think not. A > minimalist verifier could care less. All they want to know is, who is > the responsible domain and how much do I like them? > > It still seems to me that enforcing a From: is a vestigial attempt to > protect MUAs. But I thought we had decided that we weren't in the > business of solving that problem? Is that true? > > If we are truly out of the business of protecting MUAs, then I see no > rationale for enforcing From: signing. > > If we are in the business of protecting MUAs then we need to re-visit > that whole can of worms around Sender: and Resent: and all those other > potential MUA originators and triggers. > > >From my perspective we should be, at a minimum signing 'the message'. Since >From required by both RFCs 822 and 2822, then without including it, what is signed isn't a valid e-mail message.
I think it's more, at this level, a question of protecting the message from in-transit modification than protecting the MUA. So, put another way, I think you need to sign From for the same reason you sign the body of the message. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
