----- Original Message -----
From: "Wietse Venema" <wietse(_at_)porcupine(_dot_)org>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
The problem is the mistaken belief that signatures make
statements about 2822.From addresses.
Wietse,
There a strong statement stated in the DKIM-BASE introductory goal:
The ultimate goal of this framework is to permit a
signing domain to assert responsibility for a message,
thus protecting message signer identity and the
integrity of the messages they convey while retaining
the functionality of Internet email as it is known today.
Protection of email identity may assist in the global
control of "spam" and "phishing".
An even more detail strong statement is stated in DKIM-BASE section 5.4
where it clearly mandates the hashing the 2822.From: header field:
The From header field MUST be signed (that is, included in the h= tag
of the resulting DKIM-Signature header field). Signers SHOULD NOT
sign an existing header field likely to be legitimately modified or
removed in transit.
In the real world, no one expects the 2822.FROM: to be modified in transit.
It would be considered a taboo to do so.
And in the same section, it provides informative insight as to what headers
should be considered and why. We can summized it as:
- Persistent Headers
- Best Practice for Presentation
- Well known
In general, these are headers that typically common among all applications
and including across mail gateways. You can't go wrong with a bare minimum:
From:
To:
Subject:
Date:
[body]
So I am not sure why it is a mistaken belief to view DKIM as a Digital
Message Signature technology and protocol that attempts to make a strong
statement of assuring mail integrity by protecting the originating mail
author, its domain, its mail content from potential harm and abuse.
After all, what is the purpose of DKIM?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html