Douglas Otis wrote:
Without this assurance, the DKIM signature is practically
Some months ago you were firmly in the "crypto timestamp" camp,
what happened ?
only when the signature itself indicates the 2822.From
address has been validated.
Okay, we can update 5.4 in base if necessary, e.g. add a flag
where that's the case.
The factors needed for security are:
- a signature assured 2822.From address
- the DKIM signature associated with the 2822.From address
(by being within the 2822.From domain or via policy)
- presences of the valid 2822.From address in the address
I'd prefer PRA where you say 2822.From, but otherwise ACK.
That's not yet covered in base, how can the MSA say that the
2822-From is okay ? Even where the domains match it's not
necessarily okay. The MSA has to know who submits the mail,
which PRA can be used by that authenticated user, and the
case PRA != 2822.From has to be documented, the procedure in
that case would be different.
NOTE WELL: This list operates according to