Douglas Otis wrote:
On Oct 31, 2005, at 2:24 PM, Dave Crocker wrote:
I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From
address. Is this correct? Perhaps this could be addressed as a
possible threat in the analysis?
SSP deals with matching the From to the DKIM identity. Did you have any
other matching in mind?
Although many wish to attribute an ability to directly relate the From
header with the DKIM signing-domain as a means to abate abuse, this is
a foolish quest.
You keep saying that. But there're clearly folks who disagree.
I suspect repetition won't change minds.
And while there may be cases where the current version is
problematic, there may also be cases where your alternative
is similarly problematic - e.g. your opaque identifier may
turn out to be the same as the X.509 serialNumber field,
which field has been involved in lots of grief in terms of
handing revocation - will such a field require the definition
of a CRL/OCSP/SCVP equivalent? (Is that a fair comparison?)
For now though, (i.e. prior to becoming a wg) we only
really need to recognise this as an issue (which I at any
rate, have) but we don't need to solve it, right?
PS: I still think Dave's right in that dkim can't do anything
directly about the problem in the subject line other than maybe
exhort others to think about it as they implement products.
ietf-dkim mailing list