Michael Deutschmann wrote: > One additional thought on the whole double-From: argument -- if RFC > language on the issue is justified at all, it really belongs in the > ADSP RFC, not a core DKIM one. > > A double-From: doesn't even rise to the level of theoretical threat > except when dealing with ADSP (or a successor).
-1, we didn't need ADSP to show it was a empirical problem here. Remember the President Obama message? Now of course, if ADSP was a standard and whitehouse.com had an exclusive signing policy, receivers would of rejected the junk distributed by Dave's list server as an ADSP violation. But ADSP is a pipe dream. > To the core DKIM spec, "From:" isn't magic at all. Rather than > enumerate every header that might be sensitive, we should put in a > non-normative note that layered protocols should consider the issue: Not sure what that means - the 5322.From is the single most fundamental header in the email system. DKIM could not change that and its why its a thorn on the side that its the one and only single requirement for binding. At a minimum, a signature much has h=from. This WG group has long suffered on the idea that From was a required bind and the 3rd party trust advocates have tried to minimize that and simple couldn't without proper logic. The From signing requirement was based on the original framework when POLICY was a natural part of the algorithm - the security aspects of the protocol BROKE down when it was separated and we never got over it. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
