On 10/23/10 12:25 PM, Barry Leiba wrote: > On Fri, Oct 22, 2010 at 10:13 PM, Hector Santos<[email protected]> wrote: >> John Levine wrote: >>>>> DKIM makes no statement about the validity of a "sender" address. >>>>> d/ >>>> I guess I should have said Author address. >>> DKIM makes no statement about the validity of an Author address. >> I keep reading this but there is no technical merit to show there is >> any truth to it, and in fact the only thing that is probably the >> strongest validity is the Author Address. >> >> No matter how many times it is stated and repeated, it will never be >> true. If one wants this to be true, then remove the required binding >> the Author Address, A.K.A 5322.From. > No, not at all. While I think it was probably a mistake to make the > signing of ANY header fields "MUST" (we should have just put "From" in > with the other "SHOULD" fields), the fact that "From" MUST be signed > says, in itself, nothing about the *validity* of the address (nor the > display name) in that field. That's up to the signer.
Agreed, but DKIM at a minimum, requires the binding of the From header field with that of the signature. Many consumers of DKIM results may rely upon this binding as a basis to extend trust of a signature to include the From header field for trustworthy sorting or display. The signing domain, through an Out of Band method, may make assurances about the From header field as having been authenticated to protect a sorting or display process. Wherever the DKIM verification process occurs, it MUST ensure there is only a single From header field to protect these results from being trivially exploited. > It's all a question of what the signer is willing to sign. I have two > submission domains that I use. One, gmail.com, which does DKIM > signing, will only allow me to use a "From" address after it has sent > a test message to that address and seen that I can access the test > message. So it's made *some* level of confirmation that I owned the > address at the time I set it up. But there's no confirmation that I > still own the address, and there's certainly no assessment of the > display name that I associate with it. Gmail will sign mail that I > send with my old IBM addresses in the "From", though I have not worked > for IBM for over a year and a half, and no longer have any > authorization from IBM to use those addresses. > > Is that "valid"? At no time will the name be signed by IBM. Identification depends upon each domain's name reuse policy. Some domains do not allow names to be reused for this reason. If IBM were to decide to reuse your old email address for a different employee, they then risk having this name confused with the original holder of the email address. The same problem occurs for mailing-lists and other methods that depend upon seeing the same email-address. > But that's all outside the scope of DKIM. DKIM only provides > assurance of the *signing* domain, and that the message has arrived > substantially unchanged from when it was signed (modulo h= and c=). Agreed. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
