,---
|5.3.1. Negative Commentary
|...
|6. Security Threat with DKIM base, a first party signer can
| always clarify which address it is signing on behalf of
| by using the i= tag. That is, when there's ambiguity
| between, say, From: and Sender: the signer has the
| ability to clarify which address the signature was on
| behalf of if it so desires. For a third party signature,
| there is no clarity since the signature by definition has
| no relationship to the origination addresses.
'___
There are some simple remedies for this problem. One could amend the
DKIM base to allow the i= parameter to include other domains when
supported by policy, but this will confront backward compatibility
issues. Another alternative could be to include a new parameter in
both the DKIM signature field and the key. For example, "m=<email-
address>" could be used as an alternative to "i=" and "g='. The
signing domain should include only validated email-addresses within
the "m=" parameter. This avoids the exploit raised regarding the use
of signing domains that are different from that of the email-address
domain. The "m=" parameter should also be defined where the
assertion of the email-address having been validated is also clearly
assured.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
