On Jan 5, 2007, at 10:45 AM, Hector Santos wrote:
I am still convince that most people are not going to sign mail if
the ROUTE it takes is proven to break the integrity of the mail.
This is a reason to remove from the DKIM base draft the 5.4
stipulation that the From header MUST be signed. After all,
internationalization is likely to cause invalid signatures. When
other headers might actually represent the signing-originator, it
makes little sense for this stipulation, when this then requires
heuristics to "save" the signature. This 5.4 statement could be
changed to indicate that an originating header SHOULD be signed.
Although I am sure your concern is focused upon verification at the
MTA, protection afforded by DKIM allows the MDA-MUA path to not be
trusted. Perhaps at some point a new identity could be included
within the signature to ensure a discernible linkage between the
originating header and the signer.
Introducing restrictive policy will only further diminish the success
rate of otherwise legitimate messages when other headers are not
accommodated.
Policy that establishes associations with other domains also supports
opportunistic security, as used with protocols likes SSH. When the
goal is to improve the integrity of mail, allowing autonomous
associations accommodating all headers offers the only solution that
may make a genuine improvement. The base draft's requirements that
specific headers be signed, and that any header linkage is only
discernible when domains match creates impediments for the success
rate of legitimate mail. These dubious requirements are aimed at
supporting visual recognition, which is perhaps worse than misleading.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
