On Jun 4, 2013, at 9:13 AM, Murray S. Kucherawy <[email protected]> wrote:
> On Tue, Jun 4, 2013 at 4:08 AM, Douglas Otis <[email protected]> wrote: > In its current form, DKIM simply attaches a domain name in an unseen message > fragment, not a message. The ease in which the only assured visible fragment > of the message signed by the domain being forged makes it impossible for > appropriate handling to be applied or likely harm prevented. > > > There are existence proofs that contradict this claim. They have been > brought to your attention in the past. Thank you for your response. Could I trouble you for a reference to the proofs or for you to expand on what you specifically mean? The draft otis-dkim-harmful addendum captured actual DKIM From header field spoofing delivered to the in-box for several major providers. > It appears you're continuing to assign semantics to DKIM signatures that > simply aren't there. I don't know what else can be done to clarify this. The semantics of d=domain and dkim=pass appear to be at the root of the problem. What other semantics are you suggesting? > Procedurally speaking, what path do you anticipate your draft following? To require messages with invalidly repeated header fields to not return a "pass" for DKIM signature validation. I apologize if I missed your response to a private query. I hope to post an update shortly covering all expressed concerns. Regards, Douglas Otis
